You probably don’t consider the ransomware groups’ “tech stack,” “customer service,” or business strategy when you think about dark web ransomware groups. Undoubtedly because of their distinctive business model, the Hive ransomware gang is one of the most potent and deadly ransomware groups currently active on the dark web. Head of threat intelligence at Outpost24 Jose Miguel Esparza takes us on a thorough examination of the Hive ransomware’s operations.
A ransomware as a service (RaaS) provider named Hive was first discovered in June 2021. Despite being a relatively new organisation, their aggressive strategies and constantly changing malware strains have made them one of the most successful RaaS of its era. According to reports, the Hive group’s success has driven out of business rival RaaS operations that used less sophisticated technologies and platforms. But why are they such a lucrative “enterprise” for criminals? Some people might mention their sophisticated ransomware toolkit, API-based interface, and negotiating strategies.
Application Programming Interface (API) System called Hive
The Hive group’s utilisation of contemporary APIs sets them distinct from other RaaS suppliers. When planning the architecture of a RaaS, using an API connector makes sense. Threat actors can extort victims very quickly and, more importantly, efficiently by leveraging one database and merging the many portals through an API request from a single source. It also demonstrates how well-coordinated and intelligent the group is. Affiliate, victim, and data leak site are the three main portals that make up this distinctive system.
An affiliate “business” can produce malware inside the affiliate portal when the Hive RaaS is purchased and attach it to a victim. At this point, the firm is given credentials to enter the victim portal. Here, the procedure has been condensed into a centralised method that automates it. This extremely clever strategy also makes it simple to create additional links to stolen data in the affiliate portal in an effort to deceive victims into ultimately falling for double extortion techniques. But what occurs if a victim declines to make a payment? The platform transmits the data to a leak location automatically. On one platform, you can extort a victim, steal their information, and create a sample.
Examining Every API Portal
It is worthwhile to look into the particular and significant function that each portal performs inside the API system since, by honing their API, they can differentiate themselves from the “competition.” The group’s ability to operate such a prosperous RaaS business is in great part due to this reliable infrastructure.
The partner portal
The affiliate portal is the least “glamorous” but possibly most crucial aspect of the business. Affiliates manage and coordinate the overall operation on the Hive RaaS system’s primary backend. Affiliates can manage payouts, create malware bundles, view exfiltrated data, and see current and potential victims here.
A typical ransomware execution involves nine steps for an affiliate, the majority of which must be satisfied in order for a campaign using the Hive Portal to be effective. The affiliate must initially get access to a victim’s machine or network. Before stealing any information, some research must be done in this case. The threat actor uses the information gleaned from the victim’s network to create custom malware that targets the business in the most devastating and lucrative manner imaginable (which can also be set up on the portal for admin and efficiency). Finally, the affiliate can spread the infection.
The technology can be used to mark a victim’s file in the portal as encrypted once a company has been targeted. The information can then be added to other websites or services, such as Dropbox or the Exploit forum, or it can be added to the affiliate portal’s firm file. The ransomware note and the password for the victim portal are now delivered to the company. After that, the talks can start.
The Victim Portal doesn’t appear to be particularly threatening. When the portal is accessed, the victim’s general information is displayed on the left. To unlock decryption services, there are prompts to get in touch with “the sales department” and a live chat facility in the page’s middle. Once the ransom is paid, the programme appears on the right-hand side. The portal appears to be user-friendly, has simple live chat access, and is decorated with not overly intimidating orange and blue hues. Until you start reading the ransom note, the interface itself is not all that different from what you might find on a website of a respectable company.
A ransomware letter with the TOR URL for the Hive victim portal appears to the user after a victim’s computer has been successfully infected. After that, the victim receives a login and password to use with the portal. These credentials are generated when the business is first added to the affiliate portal, once more as a result of the API’s effectiveness.
It’s important to remember that the Hive Group has a separate leak site. The website goes by the name “HiveLeaks” and is housed there. The leak site continues to be unsecured by passwords or other security features, so anyone with access to the TOR URL can also access it. The website contains a “countdown” feature to compel victims to make the ransom payment, which, if not done in time, will result in double extortion.
Helpdesk and “Customer Service” Function
The Hive ransomware group stands out from other RaaS providers thanks to its distinctive API architecture, customer care, and helpdesk capabilities. The helpdesk feature mimics the live chat customer/business interaction option that reputable business sites may choose to offer. When the ransom is paid, the cybercriminal releases the files for decryption and walks their victim (the customer) through the full decryption procedure. Ironically, the admins come out as nice and professional.
Another very paradoxical benefit of having a good helpdesk function is that victims are more likely to pay out when they receive “excellent customer service.” Victims are more inclined to make a payment if they can see that the threat actor can successfully decrypt their files. From the victim’s point of view, there appears to be a guarantee of decryption to retrieve their data, however for many other providers, there is no assurance, even after paying.
It is important to remember that victims are dealing with cybercriminals in this situation. They are difficult to deal with, and it is usual for operators to encrypt data, threaten to release information online, and steal the victims’ private information using double extortion techniques.
How Can Companies Defend Their Own Interests?
As usual, maintaining proper online hygiene is crucial. To reduce the danger of unauthorised access, preventative steps including strong passwords, vulnerability management, awareness training, and pentesting are essential. RaaS service providers will probably keep expanding and improving. Businesses can reduce their vulnerability to attack, though, by identifying and closing their biggest security gaps.