Ransomware is one of the biggest security issues facing organizations today. From $40m pay-outs to posing a growing threat to national infrastructure, attacks continue to capture headlines involving big names and big money.
Such is the scale of opportunities for malicious actors that the threat landscape has evolved to cater to growing demand, with more and more criminals seeking a large and lucrative piece of the ransomware pie.
Enter ransomware-as-a-service (RaaS). As a subscription-based business model that can be bought on the dark web, it enables low-skilled cyber-criminals to leverage sophisticated, ready-made ransomware tools to execute attacks quickly and affordably.
Between the average ransomware pay-out reaching $541,010 in 2021 and some affiliates earning up to 80% of each ransom payment, it’s no surprise that almost two-thirds of ransomware campaigns are said to be facilitated by RaaS setups. Indeed, service providers are offering a head start for threat actors in their criminal careers, with Hive a prime example of this.
Hive is a relatively new RaaS group first observed in June 2021. However, its aggressive tactics and regular variant upgrades have made it a formidable adversary in the space.
While its inaugural year has seen other ransomware operators, such as REvil, dominating headlines, Hive ramped up its notoriety in November 2021 by attacking Media Markt – Europe’s largest consumer electronics retailer. The attack captured the attention of the RaaS market, leading the platform’s victim count to quickly spiral into the hundreds, the majority of these being IT and real estate firms in the US.
How Hive Has Deployed a “Sales Department”
To better understand this new and formidable RaaS outfit, the Menlo Labs research team analyzed communications between the Hive ransomware gang and some of its victims.
Hive ransomware targets several different attack vectors, including compromised VPN credentials, vulnerable RDP servers and phishing emails with a Cobalt Strike payload attached. The program analyzed was particularly aggressive, with attackers leveraging the Hive platform having placed intense pressure on their targets.
Reviewing some of the network activity, the Labs team found that Hive assigns compromised victims a unique identifier before their data is then encrypted, typically during unsociable hours. Once this has been achieved, information about the target is published on Hive’s data leak sites (DLS) hosted on the dark web.
The victim is then sent an automatically generated ransom note that contains a link to the website, login credentials, and a call to action advising them to contact Hive’s “sales department.”
When the victim does log in, a live chat between the victim and a Hive admin is launched, where the ransom is then demanded – typically in the form of Bitcoin – in exchange for a decryptor, a security report, a file tree that highlights exactly what information was stolen, and logs proving Hive has erased that data.
At the time the communications were analyzed by the Menlo Labs team, Hive had been using malware that its developers wrote using the Golang language, the samples gathered having been obfuscated to hinder detection and analysis.
Since this observation, however, Microsoft has revealed that Hive has created a new variant using a different programming language, switching from Golang to Rust. It’s believed that the switch will provide Hive with several advantages Rust offers versus other programming languages, including the deployment of string encryption as a technique that will make it more evasive.
Interestingly, the new variant will also see Hive using a different cryptography mechanism. While the Golang variant embeds an encrypted key in each file that it encrypts, the Rust variant has been shown to generate two sets of keys in memory, using them to encrypt the files before writing the sets to the root of the drive it encrypts, both with .key extension. While the new variant’s keys set generation is different from the previous set analyzed by the Menlo Labs team, its actual file encryption is very similar.
With these updates, the threat posed by Hive is expected to continue expanding. Therefore, organizations must prepare themselves to combat RaaS and ransomware more broadly moving forward.