The year 2022 saw a rise in the number of ransomware groups and mass campaigns run by threat actors. Newer names and rookie groups have also emerged and started operations in recent years. However, Hive ransomware gang, first discovered in active campaigns in mid-2021, has garnered international attention and reportedly extorted over 100 million dollars in just one year.
According to sources, Hive Ransomware is among the top ten most active ransomware groups, operating at multiple locations and targeting victims from various industries. The group came under the FBI’s radar in August 2021 when its members attacked several healthcare organizations in the USA.
Hive ransomware is a ransomware-as-a-service (RaaS) gang that has attacked over 1,300 companies and collected ransom payments worth $100 as of November 2022. The group has many affiliated groups and individuals who target victims in different industries and parts of the world. The group is also reported to be working with Initial Access Brokers (IABs), who deal in selling and purchasing access to big corporations.
The Hive ransomware gang collected ransom payments of over $100 million
According to sources, the Hive ransomware gang uses various tools and services like RDP, VPNs, and other remote connection protocols for initial access to the victim’s networks. The group allegedly targeted companies and industries that didn’t opt for multi-factor authentication (MFA) or other security procedures.
However, over two years, it was observed that the threat actors could bypass MFA by bypassing the CVE-2020-12812 vulnerability. The group also claimed responsibility for launching phishing campaigns using malware-embedded emails targeting Microsoft Exchange Server vulnerabilities (CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523).
A standard format used by hackers is creating a file with a .key extension in the root directory. The key, which is required for decryption, is then used as bait to force the victim into paying the ransom. With encryption being the attacker’s primary goal, they also exfiltrate data of interest from compromised Windows, Linux, VMware ESXi, and FreeBSD systems.
Multiple access points
As the ransomware is available as a service, the method of initial intrusion depends on which affiliate targets the network, according to the Cybersecurity and Infrastructure Security Agency (CISA) of the US government.
“Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols,” said the latest CISA advisory on the threat group.
In some cases, Hive actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE). This vulnerability enables a malicious cyber actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.
CISA has also spotted cases where Hive actors gained initial access to victim networks by distributing phishing emails with malicious attachments by exploiting vulnerabilities in Microsoft Exchange servers.
