Search This Blog

Showing posts with label Extortion Group. Show all posts

Hive Ransomware Operators Extort $100m from Over 1,300 Firms Worldwide


The operators behind the Hive ransomware-as-a-service (RaaS) model have launched assaults against over 1,300 firms across the globe and received approximately $100 million in ransom payments as of November 2022, US government agencies stated in an alert. 

Active since June 2021, the malicious ransomware model has been employed in assaults against enterprises and critical infrastructure entities, including healthcare, government, communications, IT, and manufacturing organizations. 

"Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and — especially — Healthcare and Public Health (HPH)," read the joint advisory by the FBI, the US Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services.

Modus Operandi 

Hive's RaaS campaign involves a mix of operators, who design and manage the malware, and affiliates, who are responsible for launching the assaults on victim networks by often purchasing initial access from initial access brokers (IABs). 

In most scenarios, securing a foothold involves the exploitation of ProxyShell vulnerabilities in Microsoft Exchange Server, followed by the detection and termination of processes linked to antimalware, backups, file copying, and deleting Windows event logs. 

Subsequently, the ransomware designs a file with the .key extension in the root directory – this file, which is unique to the system it was created on, is required for decryption. A ransom note is dropped into each exploited directory, warning targets not to tamper with the .key file, as that would restrict them from data recovery, and also asks victims to contact the hackers via live chat on a website accessible via the Tor browser. 

The ransomware actor also threatens victims that, if a ransom is not paid, data would be leaked publicly on the Tor site ‘HiveLeaks’. Threat analysts also detected crooks employing anonymous file-sharing sites to publish siphoned data. 

"Hive actors have been known to reinfect — with either Hive ransomware or another ransomware variant — the networks of victim organizations who have restored their network without making a ransom payment," the advisory further reads. 

According to the recent report published by cybersecurity firm Malwarebytes, the ransomware targeted seven victims in August 2022, 14 in September, and two other organizations in October, marking a fall in the operations from July, when the gang targeted 26 victims.

Karakurt Hacking Group Linked to Conti and Diavol Ransomware Crew


Cybersecurity researchers from Arctic Wolf Networks published a blog post on Friday claiming that the cyber extortion group Karakurt is operationally associated with both the Conti and Diavol ransomware groups, operating as an exfiltration arm of the ransomware organizations. 

In a blog post, researchers said since its first attacks in August 2021, Karakurt hacking group has targeted more than 40 organizations in a number of industries in at least eight nations.

In conducting the in-depth research Tetra Defense, an Arctic Wolf firm, collaborated with Chainalysis and Northwave to examine the cryptocurrency wallets tied to the Karakurt hacker group, combined with their specific technique for data theft. The analysis confirmed that the group's membership overlaps with the Conti and Diavol ransomware crews. 

Tetra's report reveals the experience of a client firm that was targeted by the Conti group, and subsequently targeted again by a data theft perpetrated by the Karakurt hacking group. The analysis confirmed that the Karakurt attack employed an identical backdoor to exploit the client's systems as the earlier Conti assault. These associations debunk the Conti group’s assurance to victims that paying the ransom will shield them from future assaults.

"Such access could only be obtained through some sort of purchase, relationship, or surreptitiously gaining access to Conti group infrastructure," Tetra explained in its report. 

It is essential to distinguish the several types of cyber assault described right here, according to Tetra. In a ransomware attack, critical information is encrypted and the ransom is paid in exchange for a decryption key so that the victim can recover its data and resume operating. In a data theft, which has been the sole type of attack orchestrated by the Karakurt group, threat actors steal sensitive corporate data and demand money in exchange for not releasing it. 

The Karakurt attacks of this type — there have been more than a dozen to date, according to Tetra — also employed cryptocurrency wallets associated with Conti victim payment addresses, further strengthening the argument that the two groups' membership may overlap significantly. 

“Traditionally, we have seen the criminals honor their offers,” Nathan Little, senior vice chairman of digital forensics and incident response at Tetra stated. “Early on, when these [data theft attacks] began in 2019, it was widespread that corporations had been frightened sufficient that they’d pay, to not cover the incident, however to keep away from the results.”