Navigating the World of RaaS: A Dive Into the Hive Ransomware Group as a Business
A deep dive into the world of RaaS and how services like Hive work.
When you think about ransomware groups on the dark web, you probably don’t think about how good their ‘tech stack’ or ‘customer service’ is and the business model they’re using. The Hive ransomware gang is one of the most powerful and dangerous ransomware groups operating on the dark web currently, and, no doubt, this is partly due to their unique business model. Jose Miguel Esparza, head of threat intelligence at Outpost24, takes us on an in-depth analysis of how the Hive ransomware functions as a business.
Hive is a ransomware as a service (RaaS) provider first identified in June 2021. Despite being a relatively new group, their ever-evolving malware variants and aggressive tactics have made them one of the most successful RaaS of its time. Reportedly, the success of the Hive group is so great that it has forced other RaaS operations, with less sophisticated tools and portals, out of business. But what makes them so successful as a criminal ‘business’? Some may say their advanced ransomware kit, API-based portal, and negotiation techniques.
The Hive Application Programming Interface (API) System
What sets the Hive group apart from other RaaS providers is the use of modern API. Using an API connector makes sense when thinking about designing the architecture of a RaaS. By using one database and combining the different portals together through an API request from a single source, threat actors can extort victims very easily and, crucially, efficiently. It also proves how sophisticated and organized the gang is. This unique system is divided into three main portals: affiliate, victim, and data leak site.
When the Hive RaaS is bought, an affiliate ‘company’ can create a malware sample within the affiliate portal and assign it to a victim. At this point, credentials are generated for the company to access the victim portal. The process here is streamlined into a centralized approach which automates the process. This highly sophisticated approach also allows more links to be easily added to stolen information in the affiliate portal to trick victims into eventually falling for double extortion tactics. But what happens when a victim refuses to pay? The platform automatically sends the information to a leak site. Effectively, you can create a sample, extort a victim, and leak their information all in one platform.
See more: 7 Tips to Better Combat Cyber Threats in 2023
Examining Each Portal of the API
It is worth further examining the unique and important role that each portal plays in the API system because by perfecting their API, they can set themselves apart from the ‘competition.’ This robust system is a large part of why the group can run such a successful RaaS business.
The affiliate portal
The affiliate portal is the least ‘glamourous’ part of the operation – but arguably the most important. It is the main backend of the Hive RaaS system and is where affiliates manage and orchestrate the overarching operation. Here affiliates can create malware bundles, manage pay-outs, see current and future victims, and view exfiltrated information.
There are approximately nine steps for an affiliate in a typical ransomware execution, most of which must be fulfilled to complete a campaign using the Hive Portal successfully. First, the affiliate must gain access to a victim’s network and/or system. Here, some research has to be done before stealing any information. The research gathered within the victim’s network helps the threat actor craft a unique malware build to target the company in the most devasting and rewarding way possible (which can also be set up on the portal for admin and efficiency). Then, the affiliate can finally deploy the malware.
Once a company has been targeted, the system can be used to flag a victim’s file in the portal as encrypted. The stolen information can then either be added to other services like Dropbox or Exploit forum and/or added to the company file in the affiliate portal. At this point, the company receives the ransomware note and its credentials for the victim portal. Then, the negotiations can begin.
The victim portal
The Victim Portal itself doesn’t look very intimidating. When the portal is accessed, general information about the victim can be seen on the left. There are prompts to contact ‘the sales department’ to unlock decryption services and a live chat feature in the center of the page. On the right-hand side, the software appears once the ransom is paid. The portal appears user-friendly, with easy access to a live chat, and is colored with not-so-intimidating shades of orange and blue. The interface itself is not too dissimilar from what you might find on the website of a legitimate business, that is, until you start reading the ransom note.
When a victim’s system has been successfully infected, a ransomware note appears to the user containing the TOR URL of the Hive victim portal. The victim is then given a login and password to access said portal. Owing again to the efficiency of the API, these credentials are created when the company is added to the affiliate portal right at the beginning of the process.
Leak site
It is worth noting that the Hive Group also has its own leak site. “HiveLeaks” is the name and is hosted on the dark web. Any person with access to the TOR URL can also access the leak site, which remains unprotected by passwords or similar measures. The site has a ‘countdown’ feature to pressure victims to pay the ransom leading to double extortion if demands are not met on time.
See more : 3 Steps for Creating a Strong Security Culture in the Workplace
The “Customer Service” and Helpdesk Function
Alongside their unique API system, having customer service and helpdesk facilities make the Hive ransomware group stand out from other RaaS providers. The helpdesk feature replicates the live chat interaction feature between customer/business that legitimate business sites might choose to have. The cybercriminal (acting as admin/agent) guides their victim (the customer) through the entire decryption process, from testing to releasing the files for decryption once the ransom is paid. The admins appear professional and, ironically, friendly.
Another rather ironic perk of having a decent helpdesk function is that with ‘good customer service,’ there’s an increased likelihood of a victim paying out. If a victim can see that the threat actor has the capability to decrypt their files successfully, they’re more likely to pay up. From a victim’s perspective, it feels as though there’s a guarantee of decryption to retrieve their data, one that, for many other services, cannot be counted on, even after paying.
It is worth not losing sight of the fact that these are, of course, cybercriminals that victims are dealing with. They are not easy to negotiate with, and it is not uncommon for operators to use double extortion techniques to steal victims’ confidential information, threaten to leak information online, and encrypt files.
How Can Businesses Protect Themselves?
As always, it is important to practice good cyber hygiene. Preventative measures such as strong passwords, pentesting, awareness training, and vulnerability management are key to mitigating initial access risk. RaaS providers will likely continue to grow and become more sophisticated. However, businesses can minimize their risk of being attacked by knowing where their biggest security gaps are and fixing them accordingly.
Have you ever used RaaS? Tell us about your considerations on Facebook, Twitter, and LinkedIn.
Image Source: Shutterstock
MORE RANSOMWARE ATTACKS
