Hive Ransomware Attackers Extorted $100 Million from More Than 1,300 Global Companies

The Hive ransomware-as-a-service (RaaS) group has executed attacks against more than 1,300 organizations globally, amassing illicit earnings of around $100 million by November 2022. This malicious enterprise has demonstrated an extensive reach, impacting a variety of sectors, most notably healthcare and public health, as well as government facilities and critical manufacturing, according to U.S. cybersecurity authorities.

Since its inception in June 2021, Hive has operated by leveraging a collaborative model that combines malware development with attack execution. Developers create and maintain the ransomware, while affiliates conduct the actual attacks, often acquiring initial access via initial access brokers (IABs).

The modus operandi often involves exploiting vulnerabilities in systems, particularly leveraging ProxyShell vulnerabilities within Microsoft Exchange Servers. Post-intrusion, perpetrators typically terminate antivirus processes, delete backups, and erase Windows event logs to cover their tracks.

In a notable development, Hive has recently updated its malware using Rust, enhancing its ability to evade detection. Moreover, they are known to eliminate virus definitions before initiating the data encryption process, further complicating recovery efforts for their victims.

The Cybersecurity and Infrastructure Security Agency (CISA) has indicated that Hive actors have been known to target organizations that attempt to restore their networks without paying ransoms, often launching reinfection attacks with either Hive ransomware or other variants.

Recent data provided by cybersecurity firm Malwarebytes indicates a notable shift in Hive’s operational tempo, with reports of seven victims in August 2022, 14 in September, and a continued decline to just two entities in October, down from a peak of 26 victims in July.

This series of events underlines the significant risks posed by the Hive ransomware group, highlighting the imperative for organizations to adopt robust cybersecurity measures. As the landscape of cyber threats evolves, understanding tactics such as initial access, persistence, and privilege escalation within the framework of the MITRE ATT&CK Matrix will be crucial for proactive defenses against such advanced persistent threats.