Ransomware like Hive: Model of modern, effective business
The fact that the Hive ransomware operation, which extorted $100 million from more than 15,000 victims worldwide, was shut down by the US Justice Department on Thursday demonstrates how hacking has evolved into a highly efficient, specialized industry in which anyone can become a cyber-shakedown artist.
Cybersecurity experts refer to Hive’s modern business model as “ransomware as a service,” or RaaS. This refers to a company that leases software and methods to others to use in extortion.
The model is central to the larger ecosystem of ransomware, in which actors focus on a single skill or function to be as efficient as possible.
This structure, according to Ariel Ropek, director of cyber threat intelligence at cybersecurity firm Avertium, enables criminals with limited computer proficiency to pay others for their expertise in the ransomware industry.
Regarding RaaS operations, Ropek stated, “There are quite a few of them.”
He stated, “It is really a business model these days.”
How it works: On the so-called dark web, vendors of ransomware support and services openly advertise their products.
The initial access brokers, who specialize in gaining access to institutional or corporate computer systems, can be found at one end.
After that, they sell that access to the hacker or operator of the ransomware.
However, the operator relies on RaaS developers like Hive, who possess the programming expertise necessary to develop the malware necessary to carry out the operation and evade counter-security measures.
Once the ransomware operator inserts their programs into the target’s IT systems, they typically manipulate them to encrypt and freeze the target’s data and files.
Additionally, the programs return the data to the operator of the ransomware.
Ropek stated that RaaS developers like Hive provide the operators with a comprehensive service in exchange for a substantial portion of the ransom.
He stated, “Their objective is to make the ransomware operation as turnkey as possible.”
Polite but firm When the ransomware is planted and activated, a message instructs the target on how to contact the attacker and how much they must pay to unlock their data.
That ransom can range anywhere from a few hundred dollars to many millions of dollars, typically depending on the target’s financial situation.
The target will eventually attempt to negotiate on the portal. They rarely make it very far.
The conversation that took place on Hive’s special victim portal between a target and the “Sales Department” was revealed by cybersecurity firm Menlo Security last year.
In it, the Hive operator offered to use a test file to demonstrate that the decryption would work.
Hive, on the other hand, was firm and insisted that the target could afford the entire sum when the target repeatedly offered only a portion of the $200,000 that was requested.
The Hive agent eventually caved in and offered a substantial discount, but he refused.
“It costs $50,000. It is final. What more can I say? The writer for the Hive
The RaaS developers have a backup plan in place in case the target organization refuses to pay: They are threatening to sell the compromised confidential files or release them online.
To make the data available, Hive operated its own website, HiveLeaks.
According to Ropek, there are specialized operations to collect the money on the back end of the deal to ensure that participants receive their share of the ransom.
Others, known as cryptocurrency tumblers, help the hacker use the ransom above ground by laundering it.
The RaaS industry was dealt a minor blow by Thursday’s action against Hive.
Numerous other specialists in ransomware operate similarly to Hive.
The most significant threat at the moment is LockBit, which in December attacked a Canadian children’s hospital and the Royal Mail in the beginning of January.
The Justice Department reported in November that 1,000 victims had paid LockBit tens of millions of dollars in ransom.
Additionally, restarting the Hive is not difficult for its operators.
The process of setting up new servers and creating new encryption keys is relatively straightforward. Ropek stated, “Usually there is some kind of rebranding.”