With the average ransomware pay-out expected to reach $541,010 in 2021 and some affiliates earning up to 80% of each ransom payment, it's no wonder that RaaS setups are claimed to assist nearly two-thirds of ransomware operations.
Indeed, service providers, such as Hive, are giving threat actors a head start in their criminal careers.
Hive is a new RaaS group that was discovered in June 2021. However, its aggressive tactics and frequent variation improvements have turned it into a powerful opponent in the space.
While other ransomware operators, like as REvil, dominated news in its first year,
Hive gained prominence in November 2021 by hitting Media Markt, Europe's largest consumer electronics shop.The attack piqued the interest of the RaaS industry, causing the platform's victim count to soon rise into the hundreds, with the bulk of these victims being IT and real estate enterprises in the United States.
How Hive Set Up a "Sales Department"
The Menlo Labs research team examined interactions between the Hive ransomware gang and some of its victims in order to better comprehend this new and formidable RaaS group.
Hive ransomware exploits a variety of attack vectors, including hijacked VPN credentials, weak RDP servers, and phishing emails with a Cobalt Strike payload. The examined programme was highly active, with attackers using the Hive platform putting considerable pressure on their targets.
The Labs team discovered that Hive provides compromised victims a unique identification before encrypting their data, generally during unsociable hours, after reviewing some of the network traffic. Once this is accomplished, information about the victim is released on Hive's dark web data leak sites (DLS).
The victim is then emailed an automatically created ransom letter with a link to the website, login credentials, and a call to action to contact Hive's "sales department."
When the victim logs in, a live chat between the victim and a Hive admin is opened, during which the ransom is sought - generally in the form of Bitcoin - in return for a decryptor, a security report, and a file tree highlighting exactly what was stolen.
Hive was utilising malware written in Golang by its developers at the time the communications were reviewed by the Menlo Labs team, with the samples acquired being obfuscated to prevent detection and analysis.
However, Microsoft has now announced that Hive has produced a new variation that uses a different programming language, switching from Golang to Rust. The migration is expected to give Hive with various benefits that Rust has over other programming languages, including the use of string encryption as a strategy to make it more elusive.
Surprisingly, the new variant will also employ a different cryptographic technique.While the Golang variation embeds one encrypted key in each file it encrypts, the Rust variant has been proven to construct two sets of keys in memory, use them to encrypt the files, and then save the sets to the root of the disc it encrypts, both with the.key extension. While the new variant's key set creation differs from the previous set examined by the Menlo Labs team, its file encryption is remarkably comparable.
With these changes, the Hive danger is projected to grow much more. As a result, enterprises must prepare to battle RaaS and ransomware more extensively in the future.