Tata Power logo close-up on website showing ransomware group leaks stolen data

Hive Ransomware Group Leaks Stolen Data After Attacking a Major India Power Company

Hive ransomware group claimed responsibility for the Tata Power cyber attack and began leaking the stolen data.

Tata Power acknowledged the cyber attack on October 14 in a stock exchange filing, claiming that it had retrieved and restored all systems.

“The Company has taken steps to retrieve and restore the systems. All critical operational systems are functioning; however, as a measure of abundant precaution, restricted access and preventive checks have been put in place for employee and customer-facing portals and touch points,” Tata Power said in the regulatory filing.

However, the Hive ransomware gang claimed it encrypted Tata Power on October 3, 2022, nearly two weeks before the company filed the data breach notification. If so, Tata Power risks fines for breaching the Indian Computer Emergency Response Team (CERT-In) regulations that require notification within six hours of discovery.

The Mumbai-based company is part of the Tata Group conglomerate serving 12 million customers and is the largest integrated power company in the country.

Hive ransomware group begins leaking stolen data

Hive ransomware gang listed the Indian electric generating company on its data leak site, suggesting that ransom negotiations had conclusively failed.

The ransomware group also began leaking stolen data, including sensitive personal information such as national identity card (Aadhar) numbers, tax IDs (PAN), phone numbers, home addresses, and salary information. The stolen data also included private keys, banking and financial records, client contracts, and engineering drawings.

According to cybersecurity researcher Rakesh Krishnan, the ransomware gang leaked at least 20 banking records.

Edward Liebig, Global Director of Cyber-Ecosystem at Hexagon Asset Lifecycle Intelligence, warned that paying the ransom does not guarantee the recovery of the stolen data.

“Let’s face it, even if negotiations are successful, there is still only a 50%/50% chance of recovery of the encrypted assets. The decision to pay or not to pay is a business call.”

However, he acknowledged some exceptions that could force a company to pay a ransom, hoping to recover the stolen data.

“If the organization is in a very vulnerable position (recovery of assets is not possible), if there is a chance for extremely damaging information to be compromised, or if the potential business impact far outweighs the ransom payment, then the business may decide to pay.”

Triple extortion ransomware group with an aggressive affiliate program

Hive ransomware has one of the most aggressive affiliate ransomware-as-a-service (RaaS) programs in the cybercrime world.

The “triple extortion” ransomware group demands ransom from organizations after encrypting data, leaks the stolen data, and directly extorts individuals impacted by ransomware attacks.

Although its attacks are financially motivated, the ransomware group cooperates with politically-motivated hacking groups such as Conti ransomware. Hive’s top targets include companies in the energy, healthcare, media, and education sectors. Recent Hive ransomware gang victims include Costa Rica’s public health service and the Social Security Fund (CCSS). The ransomware group also claimed responsibility for the attack on New York Racing Association (NYRA), emergency services provider Empress EMS, and Bell’s Canadian subsidiary Bell Technical Solutions. Similarly, Hive ransomware was responsible for the 2021 cyber attack on Europe’s largest consumer electronics retailer Media Markt.

According to threat intelligence firm Group-IB, Hive ransomware operators had attacked 355 companies by October 16, 2021, a 72% increase from September 2021, with 43 victims likely paying ransom in one month.

Similarly, Digital Shadows ranked the Hive RaaS gang as the third-most prevalent ransomware group in Q3 2022, behind LockBit and Black Basta ransomware gangs but ahead of BlackCat, Vice Society, and AvosLocker.

Hive’s attack vectors include unsecured and vulnerable RDP servers, stolen VPN credentials, and phishing emails with infected attachments.

In August 2021, the FBI published a flash alert on Hive ransomware detailing the gang’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs).

“Increasing the chances of defending against ransomware begins with watching the front and back doors,” Liebig said.

He recommended educating employees on phishing, maintaining visibility into your organization’s assets and endpoints, mitigating vulnerabilities, threat hunting, monitoring connections, and maintaining regular offsite backups.

“The best way to defend against ransomware is to never let it take root in your systems. The next best way is to have a bullet proof, trusted recovery strategy to minimize downtime and eliminate the “ransom” debate.”