NEW Phishing Attack hits Indeed.com
Most Searched
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Video
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
eBook
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Buyer's Guide
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Menlo Labs | Jun 07, 2022
Share this article
The Menlo Labs research team recently analyzed communications between the Hive ransomware gang and a few of their victims. Hive is a relatively new ransomware-as-a-service (RaaS) group, and while it may be their first year in business, their aggressive tactics have made them a formidable adversary in the space.
Hive first appeared in June 2021. While the majority of that year was dominated by larger ransomware operators, such as REvil, Hive stepped up in November 2021 by attacking Europe’s largest consumer electronics retailer, Media Markt. Since then, the victim count of Hive’s ransomware attacks has surged into the hundreds, despite the fact that the affiliate program has been active less than a year. A majority of the organizations that have fallen victim to Hive are from the United States, mainly in IT and real estate.
This RaaS program is one of the more aggressive ones, with Hive operators using urgent methods of pressure on the target organizations. Hive resorts to various initial compromise methods: vulnerable RDP servers, compromised VPN credentials, as well as phishing emails with malicious attachments that have a Cobalt Strike payload.
While examining some of the network activity after logging in, we noticed that victims are assigned a unique identifier after being compromised. Once compromised, the target’s data is encrypted, often during nonworking hours or the weekend.
After encryption, the information about the target is listed on Hive’s data leak sites (DLS) hosted on the deep web. A ransom note containing a link to a website, login and password information, as well as instructions to contact Hive’s “sales department” is automatically generated. Upon login, a live chat begins between the victim and the Hive admin, and a ransom is demanded — usually in the form of Bitcoin — in order for the victim to receive the decryptor and a guide on how to use it. Once the ransom is paid, the victim receives the decryptor, a security report, a file tree describing all of the stolen data, and the logs proving that the stolen information has been erased from Hive servers.
Hive developers wrote their malware using the Go (Golang) language. To hinder detection and analysis, Hive samples written in Go are obfuscated. One aspect that sets Hive apart from other threat actors is that the RaaS operation does not write its metadata directly in the encrypted file. This is because of complications that could happen in the file recovery process, since the OS will likely rewrite data in the same clusters. In addition, Hive creates a unique key that is eventually encrypted and written into disk, thus making the decryption process irreversible if this file is deleted by accident.
The following screenshots show a chat conversation between a victim and Hive’s sales department.
The victim is asking for the price of the decryption software and proof that it will work. The victim then proceeds to try to haggle about the price, which the Hive representative respectfully declines.
Hive gives their price and then the victim asks for a few of the encrypted files, along with the key that is needed for the decryption. The files are decrypted and sent to the victim as proof.
It is evident that there is more than one person who works the live chat, based on screenshots of different greetings and the tone of the conversations.
Ransomware operations don’t appear to be slowing. Menlo Labs will continue to monitor these ransomware groups to protect the community.
Posted by Menlo Labs on Jun 07, 2022
Tagged with Awareness, Menlo Labs, Threat Trends
Threat Trends & Research
To talk to a Menlo Security expert, please complete the form.