Hive ransomware, one of the biggest ransomware-as-a-service (RaaS) strains circulating since 2021, has at this point brought in $100 million in ransom payments according to a new alert released by the Cybersecurity and Infrastructure Security Agency (CISA). The total victim count is at least 1,300 organizations, and the group is notorious for spitefully dumping other types of ransomware on target systems when they refuse to make payment.
Hive ransomware among biggest cyber threats, group remains highly active
The Hive ransomware alert is a joint release from CISA, the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS), part of the ongoing “#StopRansomware” series that highlights the biggest threats in the space.
Hive is an RaaS provider that began operations in June 2021, and has grown to absorb much of the business left behind as the biggest players in the market (such as REvil and Conti) have gradually broken up due to increased law enforcement attention. The group is known to use “double extortion” release of stolen information to encourage ransom payments, but also likes to come back to compromised victims and install different forms of ransomware after they begin remediation when they refuse to pay up.
The group ranges broadly across the world, and strikes an equally broad variety of industries. It is believed to be based in Russia, and prefers leveraging known Microsoft Exchange vulnerabilities that have not been patched on target systems. Most of the group’s biggest strikes to date have been on European companies, but it also hit US-based Partnership HealthPlan and Memorial Healthcare System in March and followed up on the Conti attacks on the Costa Rican government in May by hitting some 800 of that country’s servers.
Palo Alto Networks recently ranked Hive ransomware as the third most active group in the world, and is now responsible for multiple attacks per day. The FBI’s information backs up this assessment, and notes that the group has shown an increasing interest in healthcare and public health organizations as a source of ransom payments.
Hive ransom payments approaching annual record amounts
REvil was bragging about bringing in $100 million annually in ransom payments shortly before the group was broken up; the Hive ransomware is rapidly approaching that total, reaching it in about a year and a half.
An important note in the alert is that Hive ransomware has numerous affiliates that each use their own techniques, and while exploiting known vulnerabilities is popular they are also quite fond of phishing via email and other common malware distribution approaches. The Microsoft Threat Intelligence Center (MSTIC) also issued a warning this year that new versions of Hive ransomware have been spotted, indicating that the group makes regular tweaks to it and improvements to its encryption methods.
The FBI is encouraging victims of Hive ransomware to report the attack to their local FBI field office, whether or not ransom payments were made. In addition to providing at least some possibility of recovering some funds, the reports are used to inform future alerts that document the group’s techniques and provide defense and mitigation strategy.
In terms of present known tactics, the Hive ransomware affiliates show a preference for seeking out remote authentication protocols that have not been secured with MFA, such as the virtual private networks commonly used by remote workers. Some affiliates also send phishing emails with attached malware that targets known Microsoft Exchange vulnerabilities. The ransomware deploys on Windows, Linux, VMware ESXi, and FreeBSD systems and disables logs and antimalware systems. Once it is deployed, the attackers direct victims to a Tor live chat site where ransom payments are arranged. Demand amounts have varied heavily by target, from several thousand to hundreds of millions of dollars.
The recommended mitigation strategies thus far are fairly standard, but the FBI does suggest focusing on patching VPN servers and remote access software, as well as potentially running a vulnerability scan to identify any known exploitable holes the group may target. Other suggestions include enabling PowerShell Logging (including module logging, script block logging and transcription), installing an enhanced monitoring tool such as Sysmon from Microsoft for increased logging, and ensuring that offline backups of data are being made (and scanned with antimalware software). The report also suggests adding an email banner to be applied to anything that comes in from outside the organization, and disabling command-line and scripting activities and permissions to limit an invader’s ability to move laterally and escalate privileges once they’ve compromised an employee account.
Roger Grimes, data-driven defense evangelist at KnowBe4, adds that organizations should take a hard look at the state of their phishing awareness training: “Regarding the recent joint announcement on Hive ransomware, it really is a great document and I applaud all the involved agencies. They are really doing a great job. My only grievance is that even although the document acknowledges that one of the primary initial access methods for Hive is phishing emails with malware attachments, in the rest of the document, they don’t recommend educating end users on how to recognize phishing threats and not to open suspicious files, which is the single best recommendation you could make to stop that type of attack. It’s part of the reason why people don’t do better with stopping phishing attacks, because we literally aren’t telling defenders to do it.”
Daniel Mayer, Threat Researcher at Stairwell, feels that the only real way to curtail ransomware attacks at this point is to focus on locking down whatever data the attackers can be expected to steal: “Ransomware and data extortion continue to impose massive costs on businesses, and threat actors’ tactics continue to evolve to evade defenses and inflict as much damage as possible. To ensure payment, we have recently observed actors dabbling in data destruction in lieu of encryption. But data extortion is an action on objectives that is at the end of a long killchain involving tactics such as the exploitation of vulnerabilities, credential dumping, social engineering, and the deployment of remote access tools. Organizations must focus on preventing ransomware actors by detecting and remediating threats before they get to the point of data extortion.”
