What Makes the Hive Ransomware Gang That Hacked Costa Rica So Dangerous?

The Hive ransomware gang is among the top most active ransomware groups in 2022. Let’s learn about how the group operates, its TTPs, and ways to mitigate a Hive ransomware attack.

Last Updated: November 18, 2022

The Hive ransomware gang is just over a year old but has already allied with more traditional ransomware groups, emerging as one of the top three most active ransomware groups in July 2022. What makes the cybercriminal syndicate so effective at what they do?

In May 2022, the Hive ransomware gang targeted Costa Rica when the country was reeling from a cyberattack. Only weeks after the Costa Rican president declared an emergency following a ransomware attack by Conti, Hive joined in and crippled the country’s public health service, the Costa Rican Social Security Fund (CCSS).

Cybersecurity experts largely believed Hive allied itself to Conti, which shot itself in the foot by publicly siding with Russia over the Ukraine conflict, leading to Conti LeaksOpens a new window . Hive wasn’t the only one (others include HelloKitty, AvosLocker, BlackCat, and BlackByte), though it single-handedly managed to take downOpens a new window 800 of 1,500 Costa Rican government-run servers and 9,000 out of 40,000 user terminals.

Other Hive ransomware victims include the largest European consumer electronics retailer MediaMarkt, one of Europe’s largest car dealers, Emil Frey, Indonesian gas giant Perusahaan Gas Negara, U.S-based healthcare organizations Partnership HealthPlan and Memorial Healthcare System, multiple organizations with vulnerable Microsoft Exchange Servers, construction company Sando, and others.

As of March 2022Opens a new window , Hive’s top-targeted sectors include energy, healthcare, financial, media, and education, in that order. Region-wise, Hive favors organizations in North America and Europe, followed by South America, Asia-Pacific, and the Middle East.

In July 2022, the Hive syndicate was the third-most active ransomware gangOpens a new window , surpassing the likes of ALPHV, CL0P, Karakurt and others. The cybercriminal group has also consistently featured in Malwarebytes Labs’ list of the top ransomware groups that have carried out the most attacks since the start of 2022.

The group has also become one of the top three active ransomware gangs in the Palo Alto Networks Incident Response Report. Analysis by the company’s Unit 42 division revealed that Hive was responsible for 8%Opens a new window of observed ransomware attacks between May 2021 and April 2022, despite only emerging in the second half of 2021.

The ransomware gang traces its origins to June 2021. Though it registered its first attack in August 2021, it victimized more than 350 organizations over the next four months at over two attacks per day. The number has grown considerably since.

As of November 2022, Hive ransomware gang has earned approximately $100 million in payouts from more than 1,300 victim companies globally, according to FBI dataOpens a new window .

Hive Ransomware Group’s Tools, Techniques, and Procedures

Like most major ransomware syndicates, the Hive group has been using the tried-and-tested affiliate-based ransomware-as-a-service (RaaS) model since its inception. The gang has an affiliate portal that acts as a backend for affiliates and members, a leak site (HiveLeaks), and a TOR-based victim portal complete with credentials that victims can use to communicate with their attackers.

Members and affiliates of the group send phishing emails attached with a malicious payload (usually Cobalt Strike), pry on VPN credentials, and search for vulnerable remote desktop protocol (RDP) servers for lateral movement. “Hive is known to exploit malicious phishing email attachments and RDP connections as means of entry to, and movement throughout, a victim’s network,” Dr. Gareth Owenson, CTO and co-founder at Searchlight Security, told Spiceworks.

Once the Hive affiliate compromises the victim network, they “exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software,” explained the FBI’s IC3 in its advisoryOpens a new window for Hive. “The ransom note also threatens to leak exfiltrated victim data on the Tor site, ‘HiveLeaks’.”

See More: LockBit Ransomware Gang Announces a Bug Bounty Program for LockBit 3.0

What Makes the Hive Ransomware So Dangerous?

Disregard for critical sectors

The Hive ransomware gang’s most significant threat is the systematic targeting of critical infrastructure organizations. For instance, the group targeted as many as 125 healthcare organizations by March 2022.

“Hive gang bragged on its dark web PR site that Partnership HealthPlan of California’s data was encrypted on March 19, ten days prior to their own disclosure of the attack and five days before unspecified issues with Partnership HealthPlan of California’s computer systems were first reported,” Dr. Owenson added.

“The group has demonstrated it’s not above targeting healthcare organizations, counting at least 7 other victims from the sector since it commenced operations in June last year. It is well known that attacks like this can be crippling to a business, whether through massive fines for breaching data regulations or the wider impact on an organization and its operations.”

Running customer service, help desk, and sales departments

The Hive ransomware group operates a portal where its victims are directed to log in using the credentials the attackers drop by in one of the files they leave behind after a successful attack. The portal enables a direct chat among the victim organization and affiliates/site admin.

It is here that the threat actors make their ransom demands (usually the value of 1% of the company’s annual revenueOpens a new window in Bitcoin or any other cryptocurrency), negotiate with the victims, and provide proof that they carried out the attack by either providing sample files or a decryptor for a tiny subset of encrypted files.

Hive Ransomware Victim Portal

Hive Ransomware’s Victim Portal | Source: Cisco Talos IntelligenceOpens a new window

The unknown admin also guides the victim through the entire decryption process once a ransom is forked out. This method has improved the group’s chances of a successful payday.

Evolving capabilities

The Hive strain received an upgrade as recently as July 2022, according to Microsoft Threat Intelligence Center (MSTIC). Researchers at the Windows-maker noted that Hive went the BlackCat way and migrated its malware code from GoLang to Rust last month.

Microsoft noted that Rust offers memory, data type, thread safety, deep control over low-level resources, a user-friendly syntax, access to a variety of cryptographic libraries, and is relatively more difficult to reverse-engineer.

The July update also includes string encryption and more complicated encryption mechanisms that leverage Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher).

MSTIC explained, “Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension.”

“To indicate which keys set was used to encrypt a file, the name of the .key file containing the corresponding encryption keys is added to the name of the encrypted file on disk, followed by an underscore and then a Base64 string (also adding underscore and hyphen to the character set). Once it’s Base64-decoded, the string contains two offsets, with each offset pointing to a different location in the corresponding .key file. This way, the attacker can decrypt the file using these offsets.”

These .key files are also referenced in the Hive ransomware note to denote the username and password to the portal, as opposed to the previously used method of embedding this data directly.

The Hive strain made strides amongst ransomware families when it introduced Linux and FreeBSD encryption capabilities in October 2021. At the time, ESET, which discovered these capabilities, clarified that the Linux variant of Hive ransomware was functionally inadequate compared to its Windows variant.

However, it goes to show that the developers of Hive are trying to expand their target base with a Linux variant, a feat achieved only by a handful of ransomware gangs, including CheerscryptOpens a new window , HelloKittyOpens a new window , BlackMatterOpens a new window , REvilOpens a new window , Babuk, DarkSide (rebranded to BlackMatter), and a few others.

See More: Meet ALPHV Collections: BlackCat Ransomware Group’s Search Engine for Stolen Data

Triple extortion

While double extortion, i.e., siphoning off data and encrypting it on the victim systems/networks, has become the norm since mid-2019, the Hive ransomware gang is known to go a notch beyond.

Exfiltrating confidential data gives ransomware gangs the added leverage of threatening to leak it online, lest a ransom demand is met. However, rarely has any ransomware group peeked into this stolen data to find additional weaknesses in the victims’ business, their customers, or any other trade secrets.

Using sensitive information plucked out of stolen data, the Hive ransomware gang has threatened its victims to contact their partners/customers and leak financial data of public companies publicly or to the Securities and Exchange Commission.

Association with Conti

AdvIntel has reason to believe that Hive’s affiliates are still loyal to the now-disbanded but one of the most prolific ransomware gangs, the Conti ransomware group, for two reasons:

  1. To help the Russia-based Conti bypass international sanctions imposed on it
  2. To continue using the coveted Conti strain

Other prominent members of the alliance include AlphV/BlackCat, HelloKitty/FiveHands, AvosLocker, Karakurt, BlackBasta, and BlackByte, the latter three being cyber extortionists and not full-blown ransomware groups.

AdvIntel notedOpens a new window this coalition is part of Conti’s plan to adopt a new network organizational structure, which is “more horizontal and decentralized than the previously rigid Conti hierarchy.”

Mitigating the Risk of a Hive Ransomware Attack

We spoke to Roger Grimes, a data-driven defense evangelist at phishing simulation testing and cybersecurity awareness company KnowBe4. Grimes said, “I don’t think Hive is doing anything unique that other ransomware gangs haven’t done. But the most important focus is on how to prevent Hive ransomware, and really, how to prevent all malware and hacker attacks.”

Grimes outlined the “four best things” organizations must do to prevent malware attacks. These are:

  • Upholding the security fabric is a collective effort. Organizations should “better focus on preventing social engineering, using a best defense-in-depth combination of policies, technical defenses, and education.” After all, human errors were responsible for 82% of data breaches, according to Verizon’s 2022 Data Breach Investigations ReportOpens a new window .
  • Patch up before the bugs catch up! Regularly track and keep up with CISA’s Known Exploited Vulnerability Catalog to identify weaknesses. Hive is famously seeking targets using vulnerable Exchange Servers.
  • Grimes advises using phishing-resistant multi-factor authentication (MFA)
  • Use different passwords for every website and online service where MFA cannot be used.

“There are no other defenses, besides these four, that would have the most impact on decreasing cybersecurity risk,” Grimes concluded.

Do you believe the Hive ransomware gang shares close links with the Conti group? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

MORE ON RANSOMWARE ATTACKS

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.