As said by security experts who obtained data from Hive's administrator panel, associates of the well-known ransomware organization breached over 350 enterprises in less than 4 months. This means that the average number of attacks per day has increased to three, beginning in June, when the gang's operation was well-publicized.
Hive ransomware originally appeared in June, with the very first publicly reported cyberattack occurring on June 23rd. At the time, the gang targeted the Canadian IT firm Altus Group. According to an investigation of this cybercrime group by Group IBM researchers, it was unclear at first if the Hive ransomware organization used ransomware as a service (RaaS) business model.
As per analysts, the Hive ransomware group's early intrusion techniques encompass phishing emails and compromised VPN credentials.
“Hive affiliates resort to various initial compromise methods: vulnerable RDP servers compromised VPN credentials, as well as phishing emails with malicious attachments. The data encryption is often carried out during non-working hours or on the weekend. Taking into account that Hive targets organizations from various economic sectors from all around the world and their attacks are manually controlled by the affiliates, it’s crucial to closely monitor the changes in TTP of these ransomware operators,” said researchers.
The Group-IB researchers probed further into their study of the Hive ransomware group and gained access to the ransomware administration panel. They began collecting data regarding its mode of operation in this manner.
It was discovered that ransomware distribution and victim negotiations were made visible and simple since affiliates could develop a version of the software in 15 minutes. The negotiation would then be handled by Hive ransomware administrators, who would transmit the message through a chat window. Furthermore, affiliates may have access to this chat window.
Some businesses reported that the decryption tool provided after paying the ransom lacked proper functionality and rendered the virtual machines' Master Boot Record unbootable.
According to the research, all affiliates have access to the company's IDs via the Hive ransomware database.
An Application Programming Interface is used by both the admin panel and the site where the data is exposed (API). Due to an API issue, the specialists were able to acquire data regarding the Hive attacks and concluded that by October 16, 355 firms had been infected by this ransomware group.
The researchers added, “Based on the analysis of company data obtained through API, the number of victims grew by 72% in less than one month. On September 16, the total number of records related to victim companies was 181. Just one month later, on October 16, the number increased to 312. Notably, 43 companies listed as victims in September disappeared from API in October, most likely after paying the ransom”.
