Jive in the Hive: Conversations with a ransomware gang

Executive Summary

The Menlo Labs research team recently analyzed communications between the Hive ransomware gang and a few of their victims. Hive is a relatively new ransomware-as-a-service (RaaS) group, and while it may be their first year in business, their aggressive tactics have made them a formidable adversary in the space.

Hive first appeared in June 2021. While the majority of that year was dominated by larger ransomware operators, such as REvil, Hive stepped up in November 2021 by attacking Europe’s largest consumer electronics retailer, Media Markt. Since then, the victim count of Hive’s ransomware attacks has surged into the hundreds, despite the fact that the affiliate program has been active less than a year. A majority of the organizations that have fallen victim to Hive are from the United States, mainly in IT and real estate.

This RaaS program is one of the more aggressive ones, with Hive operators using urgent methods of pressure on the target organizations. Hive resorts to various initial compromise methods: vulnerable RDP servers, compromised VPN credentials, as well as phishing emails with malicious attachments that have a Cobalt Strike payload.

While examining some of the network activity after logging in, we noticed that victims are assigned a unique identifier after being compromised. Once compromised, the target’s data is encrypted, often during nonworking hours or the weekend.

After encryption, the information about the target is listed on Hive’s data leak sites (DLS) hosted on the deep web. A ransom note containing a link to a website, login and password information, as well as instructions to contact Hive’s “sales department” is automatically generated. Upon login, a live chat begins between the victim and the Hive admin, and a ransom is demanded — usually in the form of Bitcoin — in order for the victim to receive the decryptor and a guide on how to use it. Once the ransom is paid, the victim receives the decryptor, a security report, a file tree describing all of the stolen data, and the logs proving that the stolen information has been erased from Hive servers.

Hive developers wrote their malware using the Go (Golang) language. To hinder detection and analysis, Hive samples written in Go are obfuscated. One aspect that sets Hive apart from other threat actors is that the RaaS operation does not write its metadata directly in the encrypted file. This is because of complications that could happen in the file recovery process, since the OS will likely rewrite data in the same clusters. In addition, Hive creates a unique key that is eventually encrypted and written into disk, thus making the decryption process irreversible if this file is deleted by accident.

The following screenshots show a chat conversation between a victim and Hive’s sales department.

The victim is asking for the price of the decryption software and proof that it will work. The victim then proceeds to try to haggle about the price, which the Hive representative respectfully declines.

Hive gives their price and then the victim asks for a few of the encrypted files, along with the key that is needed for the decryption. The files are decrypted and sent to the victim as proof.

It is evident that there is more than one person who works the live chat, based on screenshots of different greetings and the tone of the conversations.

Conclusion

Ransomware operations don’t appear to be slowing. Menlo Labs will continue to monitor these ransomware groups to protect the community.