Listen to this story
Hive ransomware group has claimed responsibility for the cyberattack on Tata Power, releasing confidential company information, including the payroll details of its employees. Tata Power issued an official notice about the cyberattack on October 14, 2022.
On October 25, 2022, Hive Ransomware Group posted on their website claiming responsibility for the cyberattack on the Indian power utility company. According to the FBI, the ransomware group gives an initial ransom payment deadline of 2 to 6 days, indicating that the data leak was the result of failed ransomware negotiations.
The leak site post claims that they encrypted Tata Power’s data on October 3, eleven days before the company disclosure. The BSE statement filed by the company did not mention that it was a ransomware attack.
Moreover, the Hive ransomware leak site claims that they have access to confidential data of the company, such as financial documents, employees’ personal and professional data, vendor information etc. The information was accessed and aggregated by researchers at Cyble in a confidential client alert, accessed by The Cyber Express. Tata Power has not confirmed or denied the claim at the time of publishing the report.
“After analyzing the data sample leaked by the Hive ransomware group, we found that the leaked data contains highly sensitive information from Tata Power such as employees’ personal and work details, company infrastructure and internal policies, and clients’ data,” said the Cyble client advisory report.
Amateur dark web researchers, too got wind of the leak and promptly published the information.
What TATA POWER leak contains?
PII Employees: #Aadhaar, PAN,Graduation, DL, Salary
Financial Records – 20 Bank Records
Client Contracts#hive #ransomware #databreach #OSINT #hack #phishing #security #cybersecurity #netsec #cyber #malware #dataleak #TATAPower pic.twitter.com/DpYbc1jPfM
— RAKESH KRISHNAN (@RakeshKrish12) October 25, 2022
Mode of operation
“Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a .hive extension,” said an FBI alert on the ransomware group.
“The Hive ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second in order to perform cleanup after the encryption is finished by deleting the Hive executable and the hive.bat script. A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim and then deletes the shadow.bat file.”
Hardly two years old, Hive has grown into one of the most prevalent ransomware payloads in the ransomware as a service (RaaS) ecosystem. Microsoft threat intelligence researchers recently discovered its latest variant with several major upgrades. “The upgrades in the latest variant are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method,” said the Microsoft report.
“The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237.”
The ransomware gang is location-and-sector agnostic and usually targets high-value business organizations or government administration bodies.
The total volume of data assessed and the direct and indirect financial cost of the incident are yet to be assessed. According to a blog post published by Tata Tele Business Services earlier, the responsibility for security breaches rests on everyone involved.
“It should be considered that cyber-attacks are not only often but frequently creative and innovative. Though many large corporations around the world consistently boast of “’security in their very DNA”, they often nose-dive to keep up pace with criminals who are always finding out newer ways to trespass your security cellar,” said the blog post.