Threat Actor Profile – Hive ransomware group

They provide affiliates with the Hive malware, an affiliate portal, a leak site, and a victim portal, along with support in the negotiation with victims. Some of the most high profile victims of the Hive RaaS include MediaMarkt, Perusahaan Gas Negara, and, more recently, Costa Rica’s public health service.

Here we delve into their advanced RaaS offering and the key elements that made them a success.

The Hive API

Unlike other RaaS operators, Hive provide their RaaS through three main portals (affiliate, victims and data leak site) using an API:

From a functional perspective, it makes a lot of sense to design the product architecture this way, using just one database and cleverly tying the different portals together through API request from that one source. When an affiliate creates a malware sample in the affiliate portal and assigns it to a victim, it automatically generated credentials for the company to access the victim portal.

This centralized approach automates the process by allowing the affiliates to easily add links to the information stolen from the victims in the affiliate portal and perform a double extortion. When those links are added and the victim refuses to pay, the information will be available through the leak site- all in an automatic way.

The use of this API-based system design highlights just how advanced and organized the Hive group is, so much that it has reportedly force other RaaS operations, with more rudimentary tools and portals, out of business.

Affiliate portal

Considered as the main backend of the Hive RaaS, this is where the affiliates manage victims, payouts, exfiltrated information, and create malware bundles. A Group-IB published a detailed report about the affiliate portal, providing valuable insights into how this part of the Hive RaaS works. Couple with Outpost24’s own research, a typical ransomware operation workflow for an affiliate looks like:

1. The affiliate gains access to a victim’s network and/or systems.
2. They study the networks and systems before stealing information.
3. The malware is built using the affiliate portal.
4. They create the company, add general information, and assign the malware build to target company.
5. The affiliate deploys the malware into the target systems.
6. They mark the company as encrypted.
7. The stolen information can be:
   1. Uploaded to services like Mega, Dropbox or Exploit forum
   2. Added to the company profile in the affiliate portal.
8. The company receives the ransomware note and victim portal credentials
9. The affiliate wait until the victim connects to the victim portal and starts negotiating

Leak site

The Hive leak site, dubbed “HiveLeaks”, is hosted in the dark web and has remained stable compared with other leak sites. Any person with access to the TOR URL can access it publicly, as it is not protected by any passwords. To further pressure their victims to pay the ransom, affiliates would publish details of the breach and data stolen and use a countdown to add urgency if payments are not met in time (double extortion).

Victim portal

Once the target systems are infected, a ransomware note will appear to the user. This note will contain the TOR URL of the Hive victim portal, and the login and password that the victim can use to access the portal. These credentials are created when the malware bundle is built and assigned to a company from the affiliate portal.

When a victim logs in, they will see a web page that looks similar to the below:

General information about the victim, created by the affiliate, can be seen on the left, where there is also a space where Hive admins and victims can exchange and share files, and test that the decryption software works. In the middle there is the chat feed where cybercriminals and victims can communicate with each other. On the right, the software to decrypt the encrypted files will appear once the victim has paid the ransomware.

Conversations with Victims

By studying the conversations Hive admins had with victims we can gather insights into how an RaaS operation helpdesk works behind the scenes.

1. Hive administrators as help desks

Hive RaaS is successful and reportedly claiming hundreds of victims from different countries across the group. The kind of interactions admins have with victims replicate the function of a help desk, where cybercriminals (the admin/agent) would guide their victim (the customer) through the decryption process from testing to releasing the files for decryption. A chat conversation captured below shows how Hive administrators deal with their ‘customer’ professionally like a normal helpdesk.

2. Increase likelihood of payout with customer care

Back in the days, some ransomware groups were not decrypting the encrypted files even after the victims have paid. Those incidents deter new victims from paying the ransom as there was no guarantee that their files would be decrypted after the payment. To increase the likelihood of a payout most ransomware groups now are keen to ensure their ‘customers’ get what they paid for – a decryption that works.

The following image clearly shows that RaaS operators and administrators operate with this in mind:

3. Hard negotiators

Some ransomware groups are not effective negotiators and have been known to offer discounts to their victims. However, Hive administrators are far more rigid and difficult to negotiate with, especially when victims play hardball.

4. Triple extortion

It is not uncommon for operators to use double extortion methods, by stealing victims’ confidential information and threatening to publish it on a leak site on top of encryption. Triple extortion goes one step further by looking into this stolen data and using to put even more pressure on the victim. This can include contacting clients to inform them that their data has been stolen and threaten to published if the company doesn’t pay. Another example is that they can review the value of their stock and threaten to contact the Stock Commission with this information.

Bolster cyber hygiene to combat Hive ransomware

Already one of the most prolific RaaS gangs, Hive RaaS success is the result of a streamlined process for affiliates and a well-designed infrastructure and affiliate program, making it easy and quick to deploy malware and professionalize ransomware attacks at industrial scale.

In the future we can expect them to keep growing and improving their tooling, which in turn will provide more threat actors access to the tool to claim more victims and inflate profit margin for Hive.

Given its tactics, organizations must bolster their preventative defensive measure and cyber hygiene such as strong passwords, continuous vulnerability management and pentesting, awareness training (especially against phishing) and real time input of threat intelligence into your security operations to protect themselves against the Hive group and other similar ransomware threats.