Search This Blog

Showing posts with label Hive Ransomware. Show all posts

Here is How Toronto-area Police Force Helped Take Down a Russian-linked Hacking Group

The Toronto police force has recently been explanatory on how it ended up getting involved with the international attempt on legally hack Hive, one of most ruthless ransomware groups in the world. 

The contributions made by the Peel Regional Police are one of the reasons why Canadian flag is among the icons displayed on what was the dark website for the Russian-linked ransomware group Hive, along with the logos of the U.S. Department of Justice, the FBI, and a variety of police forces around the globe. 

According to Detective Const. Karim Hussain in an interview with CTV News Toronto, Peel's detectives got engaged early when a local firm contacted them in 2021 claiming that their systems were down and a text message on their desktops revealed a ransom note. 

“We had one of the first cases in Canada of Hive ransomware[…]It was the first to market. At the time we started gathering evidence, Hive was a fairly new ransomware group. Everything we brought to the table was interesting because no one had seen it before,” he says. 

The attributes of the Hive case were similar to numerous other high-profile incidents, like a hospital in Louisiana where threat actors had accessed data of around 270,000 patients, and a Ohio hospital that was attacked and made them incapable of accepting new patients even during the massive surge of COVID-19. 

Those were only a few of the more than 1,500 attacks throughout the globe that had the digital traces of Hive, an organization whose associates, according to authorities, have made $150 million since 2021 as they demand money from companies in exchange for access to their data or system. 

The attacks are carried out via a "ransomware as a service" (RaaS) model, in which a small group of individuals create malicious software and then distribute it to numerous users, allowing them to quickly scale up their attacks before the security flaws they exploit are addressed. 

“You have an overarching group that provides everything down to the infrastructure, to lesser-capable cyber criminals, and they provide them the tools to conduct the hack,” Hussain said. 

The case brought the RCMP, the FBI, the police from France, Germany, Norway, and Lithuania together with Peel Police and other agencies dealing with Hive's impact. 

In retaliation, the group took over Hive's website earlier this year and replaced it with a landing page with the logos of numerous investigative agencies. “Simply put, using lawful means, we hacked the hackers,” said U.S. Deputy Attorney General Lisa Monaco in a press conference in January. 

Adding to this, she says that the police had found and then openly disseminated decryptor keys that may aid anyone who had been assaulted in independently recovering their data or liberating their systems. 

According to Christopher Wray, director of the FBI, these actions have prevented around $130 million in ransom from being paid. “This cut off the gas that is fueling Hive’s fire,” Wray said. 

According to Hussain, the inquiry is still ongoing as the prevalence of ransomware grows. Ransomware assaults made up 11% of all cyber security incidents in 2021, according to Statistics Canada. 

“There’s no end in sight to cybercrime right now,” Hussain said.  

DOJ Reveals: FBI Hacked Hive Ransomware Gang

The U.S. Department of Justice (DOJ) recently confirmed that the FBI has infiltrated the activities of a popular cyber-crime gang, covertly disrupting their hacking attacks for more than six months. 

According to DOJ, FBI gained deep access to the Hive ransomware group in the late July 2022. The infiltration prevented them from blackmailing $130 million in emancipate bills from more than 300 organizations. 

The files of victims are encrypted by ransomware gangs using malicious software, locking them up and rendering them unavailable unless a ransom is paid to obtain a decryption key. 

It is being estimated that Hive and its affiliates have accumulated over $100 from more than 1,500 victims that included hospitals, school districts, financial companies and critical infrastructure, in more than 80 countries across the globe. 

The FBI revealed that it has collaborated with the local law enforcement agencies to help victims recover from the attack, including the UK's National Crime Agency, which claims to have given around 50 UK organizations decryptor keys to overcome the breaches. 

On Thursday, the US announced that it had put an end to the operation by disabling Hive's websites and communication systems with the aid of police forces in Germany and Netherlands. 

Attorney General Merrick Garland stated that "Last night, the Justice Department dismantled an international ransomware network responsible for extorting and attempting to extort hundreds of millions of dollars from victims in the United States and around the world." 

While the Equity Division had not yet been used to capture any individual connected to Hive attacks, a senior official suggested that such releases might happen soon. 

In regards to the infiltrations, Deputy Attorney General Lisa O Monaco said, "simply put, using lawful means, we hacked the hackers." 

Moreover, the DOJ says it would pursue those behind the Hive until they were brought to justice. 

"A good covert operation can degrade confidence in operational security and inject suspicion among actors,” Mandiant Threat Intelligence head John Hultquist said. "Until the group is arrested, they will never truly be gone. They will have to reconstitute, which takes time, but I'll bet they reappear in time."    

Bell Canada Hit by Hive ransomware

Bell Canada, a telecommunications firm, alerted consumers of a cybersecurity incident in which hackers gained access to business data. With more than 4,500 people, BTS is an autonomous subsidiary that specializes in installing Bell services for household and small-business customers in the provinces of Ontario and Québec.

Bell Technical Solutions, an independent subsidiary that specializes in the setup of Bell services for housing and small business customers in Ontario and Québec, had been the target of the recent cybersecurity incident, the company identified, according to a notice published on that "Some operational company and employee information was accessed in the recent cybersecurity incident,"

Although the Canadian telecoms operator declined to say when its network was compromised or the attack transpired, Hive claims in a fresh post to its data leak blog that BTS' systems were encrypted on August 20, 2022, almost exactly one month earlier.

To assist in the recovery process, outside cybersecurity professionals were hired. The Royal Canadian Mounted Police's cybercrime unit has been contacted about the attack, and the corporation has informed Canada's Office of the Privacy Commissioner of the occurrence.

In the wake of the occurrence, the Bell subsidiary cautioned customers that they might become the victim of phishing attacks and took immediate action to secure the compromised systems and to reassure users that no customer data, including credit and debit card numbers, banking information, or other financial data, was accessed as a result of the incident.

"Any persons whose private data could have been accessed will be promptly informed by us. Other Bell clients or other Bell businesses were not impacted; Bell Technical Solutions runs independently from Bell on a different IT system" the company stated.

Hive is an affiliate-based ransomware version that was first noticed in June 2021 and is used by hackers to launch ransomware attacks targeting healthcare facilities, charities, retailers, energy suppliers, and other industries globally.

Recently cyberattack by the Hive ransomware gang has led to an extortion attempt worth $2 million against Damart, the French clothing firm with over 130 locations throughout the world. According to data from Recorded Future, Hive is still one of the most active ransomware gangs, responsible for more than 150 attacks last month.

Damart Suffered a Hive Ransomware Attack

A cyberattack by the Hive ransomware gang has led to an extortion attempt worth $2 million against Damart, the French clothing firm with over 130 locations throughout the world. 

The company's operations have been interrupted and some of its systems have been encrypted since August 15. In order to keep discussions confidential, the hackers have chosen not to list the victim on their extortion website.

Damart has not yet started discussions with the cybercriminals but has reported the event to the national police, thus, it remains doubtful if Hive will be compensated.

The first indication of difficulty arose on August 15 when Damart posted a notice about unexpected maintenance on the home page of their online store.

Damart, a mail-order clothing company based in Bingley, West Yorkshire, has confirmed that there was an attempt to hack into their IT systems during that time. The firm stated that "They were quickly able to intercept the attempt with strong security protocols."

In addition, the website is presently unavailable because they have temporarily restricted several services that are offered to clients as a precaution. The business places a high focus on data and system security, and reassuringly, there is no proof that any client data has been adversely affected as of yet.

On August 24, it was revealed that 92 of Damart's stores had been affected by the disruption to its sales network, which was not functioning regularly. As a result, fewer purchases were accepted, and customer service was shut down.

The company made it clear that the hackers had successfully entered the Active Directory and had begun a sudden attack that led to the encryption of some of the systems.

According to Damart, the corporation took preventive measures by shutting down systems to prevent them from being encrypted, which impaired the services.

It is yet uncertain whether Hive was successful in stealing any data during the cyberattack. The gang, however, uses the double-extortion strategy and steals data before it is encrypted. This gives the hackers the ability to threaten the victim with a data breach in order to exert pressure on the victim to pay a ransom.

The situation is similar to how Ragnar Locker's cyberattack against LDLC last December played out. By their own accord, the assailants had been stopped before they could deliver their fatal blow and activate the encryption.

According to Valery Marchive's claim, the hackers are not eager for negotiations and anticipate that parent company Damartex would pay the whole ransom. Marchive was able to recover a leaked ransom note and published data on LeMagIT.

Hive Ransomware Gang Breached Almost 350 Organization Within 4 Months


As said by security experts who obtained data from Hive's administrator panel, associates of the well-known ransomware organization breached over 350 enterprises in less than 4 months. This means that the average number of attacks per day has increased to three, beginning in June, when the gang's operation was well-publicized. 

Hive ransomware originally appeared in June, with the very first publicly reported cyberattack occurring on June 23rd. At the time, the gang targeted the Canadian IT firm Altus Group. According to an investigation of this cybercrime group by Group IBM researchers, it was unclear at first if the Hive ransomware organization used ransomware as a service (RaaS) business model. 

As per analysts, the Hive ransomware group's early intrusion techniques encompass phishing emails and compromised VPN credentials. 

“Hive affiliates resort to various initial compromise methods: vulnerable RDP servers compromised VPN credentials, as well as phishing emails with malicious attachments. The data encryption is often carried out during non-working hours or on the weekend. Taking into account that Hive targets organizations from various economic sectors from all around the world and their attacks are manually controlled by the affiliates, it’s crucial to closely monitor the changes in TTP of these ransomware operators,” said researchers. 

The Group-IB researchers probed further into their study of the Hive ransomware group and gained access to the ransomware administration panel. They began collecting data regarding its mode of operation in this manner. 

It was discovered that ransomware distribution and victim negotiations were made visible and simple since affiliates could develop a version of the software in 15 minutes. The negotiation would then be handled by Hive ransomware administrators, who would transmit the message through a chat window. Furthermore, affiliates may have access to this chat window. 

Some businesses reported that the decryption tool provided after paying the ransom lacked proper functionality and rendered the virtual machines' Master Boot Record unbootable. 

According to the research, all affiliates have access to the company's IDs via the Hive ransomware database. 

An Application Programming Interface is used by both the admin panel and the site where the data is exposed (API). Due to an API issue, the specialists were able to acquire data regarding the Hive attacks and concluded that by October 16, 355 firms had been infected by this ransomware group. 

The researchers added, “Based on the analysis of company data obtained through API, the number of victims grew by 72% in less than one month. On September 16, the total number of records related to victim companies was 181. Just one month later, on October 16, the number increased to 312. Notably, 43 companies listed as victims in September disappeared from API in October, most likely after paying the ransom”.

Supernus Pharmaceuticals Hit by a Ransomware Attack


Last week, Supernus Pharmaceuticals, a biopharmaceutical company, claimed that it had been a target of a ransomware attack that led to a significant amount of information being compromised out of its system. As per the Rockville, Maryland-based firm, the extortion gang obtained data on certain systems, installed software to restrict file access, and then claimed to reveal the exfiltrated contents. 

Notwithstanding this, Supernus Pharmaceuticals argues that perhaps the occurrence had no significant effect on the business since its operations were not adversely affected. 

However, at this time, the Company seems to have no plans to pay any ransom money to any illegal ransomware organization. 

Supernus Pharmaceuticals also claims to have recovered the damaged files and also has undertaken efforts to boost the security of its network and data. Nevertheless, the organization believes that the crooks will most likely try to benefit from the unlawfully obtained information. 

The Hive ransomware group claimed responsibility for the attack, claiming that on November 14, it got into Supernus Pharmaceuticals' network and exfiltrated 1,268,906 files comprising 1.5 TB of data. 

“The Company continues to operate without interruption and does not currently anticipate paying any ransom amounts to any criminal ransomware group,” the company says. 

“To date, the Company has not paid any ransom and has been able to restore all of the information encrypted by the criminal ransomware group,” Supernus Pharmaceuticals further added. 

The hacker group claimed on its Tor network leak webpage that the stolen information would be uploaded online soon, stressing out that the corporation failed to notify the event in their most recent 8-K Form filed with the Securities and Exchange Commission (SEC). 

Meanwhile, Supernus Pharmaceuticals submitted an additional 8-K Form with the SEC on Friday 26th of November, this time specifically disclosing the ransomware attack. Considering Supernus Pharmaceuticals' assertion that it has no intention of paying a ransom, the Hive ransomware programmers say they have already been in contact with the company since the attack.

MediaMarkt Struck by Hive Ransomware, Initial $240 Million Ransom Demand


A Hive ransomware operation hit MediaMarkt, a German multinational chain of consumer electronics stores, with the threat actors initially demanding a ransom of $240 million. IT systems in the Netherlands and Germany were closed down as a result of the incident and store operations were hampered. 

With over 1,000 stores in 13 countries, MediaMarkt is Europe's largest consumer electronics retailer. It employs around 53,000 people and has total sales of €20.8 billion. At the start of this week, a ransomware attack targeted MediaMarkt, encrypting servers, workstations and creating an outage of IT services to stop the attack from propagating. 

The ransomware attack, according to BleepingComputer, affected several retail stores across Europe, particularly in the Netherlands. While online sales are unaffected, affected stores' cash registers are unable to accept credit cards or generate receipts. The system shutdown is also restricting returns due to the inability to search for previous purchases. Employees are instructed to avoid encrypted systems and to turn off networked cash registers on the network. 

As per screenshots of alleged internal communications posted on Twitter, the hack compromised 3,100 servers. However, at this moment, BleepingComputer has been unable to verify those claims. The Hive Ransomware organization is behind the attack, according to BleepingComputer, and requested a huge, but unrealistic, $240 million ransom to acquire a decryptor for encrypted files. 

Ransomware groups frequently demand high ransoms at first to allow for negotiation, and they generally only get a portion of what they demand. However, BleepingComputer has been told that during the attack on MediaMarkt, it was almost automatically dropped to a significantly smaller amount. 

While it is unclear whether unencrypted data was captured in the attack, Hive ransomware is known to steal files and post them on its 'HiveLeaks' data breach site if a ransom is not paid. When BleepingComputer contacted MediaMarkt about the hack, they received the following response: 

“The MediaMarktSaturn Retail Group and its national organizations became the target of a cyberattack. The company immediately informed the relevant authorities and is working at full speed to identify the affected systems and repair any damage caused as quickly as possible. In the stationary stores, there may currently be limited access to some services. MediaMarktSaturn continues to be available to its customers via all sales channels and is working intensively to ensure that all services will be available again without restriction as soon as possible. The company will provide information on further developments on the topic. - MediaMarkt.”

About the Hive ransomware 
Hive ransomware was first discovered in June 2021 and has already hit over 30 companies, counting just those who did not pay the demanded ransom. The Hive group, according to the FBI, uses a range of tactics, methods, and processes to breach targeted networks. 

Hive ransomware was first discovered in June 2021 and has already hit over 30 companies, counting just those who did not pay the demanded ransom. The Hive group, according to the FBI, uses a range of tactics, methods, and processes to breach targeted networks. 

Hive ransomware is a data encryption malware that has gained notoriety as a result of strikes against the Memorial Health System, where employees were made to work with paper charts as their computers were encrypted. Altus Group was another victim, with hackers stealing corporate information and data from the software supplier, which were then made public on HiveLeaks. 

Hive has also created variants to encrypt Linux and FreeBSD servers, which are often used to host virtual machines.

Linux And FreeBSD Systems Are Being Exploited in the Wild by Hive Ransomware


The Hive ransomware group that has been active since mid-2021 reportedly encrypts Linux and FreeBSD with new malware versions designed exclusively for these platforms. 

The Slovak internet security firm ESET revealed that Hive's new encryptors have been under development and require more functionality. During ESET's examination, the Linux edition also turned out to be largely unstable, with encryption collapsing whenever the malware was executed with an explicit route. 

Allowing for a single command-line argument (-no-wipe); Hive's Windows ransomware, on the other hand, has up to five implementation choices, including stopping programs and bypassing disc cleaning, irrelevant data, and older files. 

The Linux variant of the ransomware likewise fails to encrypt when performed without root access since it tries to dump the ransom note on the root file systems of infected computers. "Just like the Windows version, these variants are written in Golang, but the strings, package names, and function names have been obfuscated, likely with gobfuscate," ESET Research Labs said. 

Hive has already infiltrated over 30 organizations, not including victims who declined to pay a ransom. They were amongst several ransomware organizations that have started attacking Linux servers as their business targets gradually shifted to virtual servers for better device management and much more effective resource utilization. Ransomware operators may encode numerous servers with just a single command by targeting virtual machines. 

Security experts eventually identified HelloKitty and BlackMatter ransomware Linux encryptors in the wild in July and August, validating Wosar's claim. 

One month later, it was revealed that a few of these Linux malware variants are also defective and may corrupt victims' data during encryption. Moreover, Snatch and PureLocker ransomware organizations have already employed Linux versions in their attacks.

Ransomware Groups are Escalating Their Attacks on Healthcare Organizations


Ransomware groups have shown no signs of declining their attacks on hospitals, apparently intensifying attacks on healthcare institutions as countries all over the world cope with a new wave of COVID-19 virus. 

Two healthcare institutions in California and Arizona have begun sending out breach notification letters to thousands of people after both disclosed that sensitive information — including social security numbers, treatment information, and diagnosis data —, was obtained during recent hacks. 

LifeLong Medical Care, a California health facility, is mailing letters to about 115 000 people informing them of a ransomware attack on November 24, 2020. The letter does not specify which ransomware gang was responsible. Still, it does state that Netgain, a third-party vendor that offers services to LifeLong Medical Care, "discovered anomalous network activity" only then concluded that it was a ransomware assault by February 25, 2021. 

Netgain and LifeLong Medical Care finished their investigation by August 9, 2021. They discovered that full names, Social Security numbers, dates of birth, patient cardholder numbers, treatment, and diagnosis information were accessed and/or obtained during the assaults. 

Credit monitoring services, fraud alerts, or security freezes on credit files, credit reports, and stay attentive when it comes to "financial account statements, credit reports, and explanation of benefits statements for fraudulent or unusual behavior," as per LifeLong Medical Care. 

For further information, anyone with questions can call (855) 851-1278, which is a toll-free number. 

After being struck by a ransomware assault that revealed confidential patient information, Arizona-based Desert Wells Family Medicine was compelled to issue a similar letter to 35 000 patients. 

On May 21, Desert Wells Family Medicine learned it had been hit by ransomware and promptly engaged an incident response team to assist with the recovery. The incident was also reported to law enforcement. 

According to the healthcare institution, the ransomware gang "corrupted the data and patient electronic health records in Desert Wells' possession before May 21". After the malicious actors accessed the healthcare facility's database and backups, it was unrecoverable. 

Desert Wells Family Medicine stated in its letter, "This information in the involved patient electronic health records may have included patients' names in combination with their address, date of birth, Social Security number, driver's license number, patient account number, billing account number, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information." 

The organization stated that it is presently reconstructing its patient electronic health record system and will provide free credit monitoring and identity theft prevention services to victims. 

"Patients should also check statements from their healthcare providers or health insurers and contact them right away if they notice any medical services they did not get," the letter continued. 

These recent assaults, according to Sascha Fahrbach, a cybersecurity evangelist at Fudo Security, indicate that the healthcare business, with its precious personal information, remains an enticing and profitable target for hackers and insiders. 

"There were more than 600 healthcare data breaches last year, with more than 22 million people affected, and unfortunately, this trend shows no sign of slowing down. Healthcare operators need to reassess their security posture, as well as shifting their mindset when it comes to safeguarding their data," Fahrbach added. 

"In particular, third parties remain a security liability which needs to be urgently addressed. Many in the healthcare industry are not taking the proper steps to mitigate third-party remote access and third-party vendor risk." 

After the Hive ransomware knocked down a hospital system in Ohio and West Virginia last month, the FBI issued a notice two weeks ago, adding that the gang frequently corrupts backups as well.

Hive has targeted at least 28 companies so far, including Memorial Health System, which was struck by ransomware on August 15.