As one ransomware gang fades out, another emerges to take its place. Hive ransomware is currently ascending to the throne, and a joint alert from multiple US government agencies advises that it has racked up over $100 million in ransom payments since it first appeared in mid-2021.
The group is a ransomware-as-a-service (RaaS) provider based in Russia that works with numerous affiliates and strikes organizations all over the world. The FBI, CISA and DHS joint report finds that over 1,300 have been impacted as the group becomes one of the biggest criminal service providers of the moment.
Hive ransomware becomes major threat, closing in on historic levels of payment
The most successful ransomware groups have brought in around $100 million annually. The joint report states that Hive has reached that total in about a year and a half, with most of its activity coming in 2022.
Part of the outfit’s success is owed to a varied approach by its affiliates, who use everything from standard email phishing to combing for an assortment of documented vulnerabilities to break into target systems. The core Hive ransomware is also regularly updated, and the group appears to vary its ransom payments to be feasible for the target. The affiliates particularly like to prey on poorly secured VPNs used by remote workers, and unpatched Microsoft Exchange vulnerabilities.
The FBI’s stance on ransom payments is that they are not encouraged, but they are legal (save for sanctioned entities) and should be reported so that the agency can attempt to take action against the perpetrators. Hive ransomware has been deployed on Windows, Linux, VMware ESXi, and FreeBSD systems and the FBI suggests that organizations focus on enhanced logging and monitoring tools as a means of defense.
The success of Hive ransomware also highlights the continuing importance of phishing awareness training, offline data backups and the encryption of any sensitive data that hackers might threaten to dump to the public after an attack.
Busy Hive ransomware group expected to continue to be major threat
Hive has been operating since at least June 2021 and has been brutally efficient in collecting ransom payments as of late, sometimes re-visiting the systems of victims that refuse to pay and dumping additional strains on them as they engage in remediation. The group also uses the “double extortion” tactic of leaking stolen data to the public via a dark web site when victims opt not to pay.
The group is among the top three most active in the world, and the FBI has issued a special caution to health care facilities and public health organizations as the group has shown a predilection for targeting them. The group does appear to respond to ransom payments in at least some cases, but the FBI cautions that there is never a guarantee that making a payment will result in data being de-encrypted, or that stolen data will not later emerge on the dark web.