Hive Ransomware extorted over $100M in ransom payments from over 1,300 companies

Hive ransomware operators have extorted over $100 million in ransom payments from over 1,300 companies worldwide as of November 2022.

The threat actors behind the Hive ransomware-as-a-service (RaaS) have extorted $100 million in ransom payments from over 1,300 companies worldwide as of November 2022, reported the U.S. cybersecurity and intelligence authorities.

“As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments” reads the alert published by CISA.

The authorities reported that from June 2021 through at least November 2022, threat actors employed the Hive ransomware in attacks aimed at a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).

The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive ransomware is one of the top 10 ransomware strains by revenue in 2021. The group used various attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.

In June, The Microsoft Threat Intelligence Center (MSTIC) researchers discovered the new variant, while analyzing a new technique used by the ransomware for dropping .key files.

The main difference between the new variant of the Hive malware is related to the programming language used by the operators. The old variants were written in the Go language, while the new Hive variant is written in Rust.

The alert points out that the technique of the initial intrusion depends on which affiliate targets the network. The threat actors were observed gaining initial access to victim networks by using single-factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols. In some attacks the group was able to bypass multifactor authentication (MFA) and gained access to FortiOS servers by exploiting the CVE-2020-12812 vulnerability.

The threat actors also gained initial access to victim networks via phishing attacks delivering weaponized documents and by exploiting the following flaws in Microsoft Exchange servers:

• CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
• CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability

Government experts also warn that Hive operators have been known to reinfect the victim’s networks with either Hive ransomware or another ransomware variant.

The alert includes Indicators of Compromise (IoC), MITRE ATT&CK TECHNIQUES, and mitigations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Hive)

[adrotate banner=”5″]

[adrotate banner=”13″]