According to security researchers who gathered data from Hive’s administrator panel, affiliates of the well-known ransomware group managed to breach over 350 organizations in only 4 months. This means that the number of the average attacks raised to 3 companies attacked per day, starting in June when the gang’s operation was widely revealed. It is known that Hive ransomware emerged on the 23rd of June with its first publicly known cyberattack. At that time, the gang attacked the Canadian IT company Altus Group. In the beginning, it was not clear if the Hive ransomware gang worked as a ransomware as a service (RaaS) business model, according to an analysis by Group-IB researchers on this cybercrime group. In early September, however, a user under the nickname “kkk” gave a reply on a thread from “reputable” ransomware programs saying that they are in search of partners to join them, partners who already own access to corporate networks. The message under the discussion also gave details about how the ransom would be split, as 80% would have been for affiliates and the rest for the developers. The researchers managed to capture a self-destructing note where technical data was provided in relation to the file-encrypting malware. Upon review, they managed to identify that the RaaS operation the user was advertising for was indeed related to Hive ransomware
Ransomware remains one of the categories of eCrime that causes the most financial loss to businesses. It is important to take measures to prevent attackers from getting an initial foothold onto networks. Train users on spotting and reporting phishing emails, don’t expose Remote Desktop (RDP) to the public Internet, use multi-factor authentication (MFA) on external access points, and have good endpoint detection using an EDR with alerts triaged by a SOC or a service like Binary Defense. It is also important to have multiple backups, including off site backups, and a rigorous incident response plan to get services back up and running quickly if ransomware does succeed in encrypting files on the network. However, since ransomware criminals often exfiltrate proprietary data to be used to extort victims by posting it on their leak sites on the dark web, it is crucial to make every effort to prevent a ransomware incident from occurring in the first place.