Law enforcement officials recently disrupted the operations of the Hive cybercriminal group, which was involved in a ransomware-as-a-service (RaaS) business model. The group, believed to be connected to the Conti ransomware group, along with other affiliated groups, engaged in various tactics and techniques to carry out their criminal activities. This case provides valuable insights into the current trends in RaaS, its relationship to cryptocurrency, and effective defense strategies against similar groups.
Like other RaaS providers, Hive developed a ransomware encryptor and established a Dark Web domain. They advertised their services to potential affiliates and forums, allowing users to purchase a license to configure a ransomware payload and receive extortion funds. Typically, RaaS providers take a cut of the profits, ranging from a 75/25 to an 85/15 split. In the case of Hive, the split was 80/20.
One of the reasons cryptocurrency remains a preferred method of payment for ransomware operators is its borderless and almost instant nature. Cryptocurrency enables anonymous transfers of funds across the globe without the need for bank approvals or conversions. Its value often follows the path of Bitcoin (BTC), meaning that when the price of BTC rises or falls, other cryptocurrencies tend to follow suit. This allows attackers to adjust the amount of cryptocurrency they demand as ransom based on the current token price.
While most cryptocurrencies are traceable, many ransomware groups operate from countries where the government turns a blind eye to their activities as long as their victims are located elsewhere. For instance, some Eastern European and Russian ransomware operators include logic in their malware code to geolocate victims’ machines, terminating the attack if the machine is located in a country within the Commonwealth of Independent States (CIS). This impunity enables ransomware operators in these countries to carry out attacks without fear of arrest.
The Hive case is notable because it involved a global and joint operation by federal authorities from multiple countries. The coordinated effort led to the takedown of the Hive group’s server infrastructure. This success highlights a shift in approach, as governments and cybersecurity agencies increasingly adopt offensive measures to counter threat actors. They recognize that solely defensive strategies are insufficient to tackle the growing ransomware problem.
Security challenges are further complicated by the varying tactics employed by different ransomware groups and their affiliates. Even within a single ransomware group, different affiliates may use distinct techniques. This complexity poses a significant challenge for security teams tasked with defending against such attacks.
To effectively defend against RaaS groups, security professionals should adopt a holistic defensive posture that includes multiple layers of protection. For example, Hive affiliates have been known to exploit vulnerabilities such as Remote Desktop Protocol (RDP) without multifactor authentication (MFA), stolen credentials, phishing campaigns, and software vulnerabilities. Implementing policies such as requiring MFA, adopting a zero-trust network, investing in multifactor licenses, providing comprehensive email security and phishing training, and employing a robust patch management system can help mitigate these risks.
The need for checks and balances in a comprehensive defensive posture is exemplified by the activities of the CL0P group. This group targets software supply chain companies and then infiltrates their clients’ systems, deploying ransomware or exfiltrating data. Companies must implement multiple layers of protection to mitigate the risks associated with these types of attacks. If one solution fails, another should ideally catch any missed or false positive detections.
Phishing and email security solutions are particularly crucial in combatting RaaS groups, as these threat actors often initiate attacks through phishing emails. In fact, Verizon’s 2023 Data Breach Investigations Report indicates that the majority of breaches start with phishing attacks. By addressing these vulnerabilities and implementing a comprehensive security posture, companies can significantly enhance their defense against RaaS groups.
In conclusion, the Hive case provides valuable insights into the trends and tactics associated with RaaS groups. It reinforces the role of cryptocurrency in facilitating ransom payments and highlights the need for global collaboration among law enforcement agencies to disrupt these criminal operations. To defend against RaaS groups effectively, organizations must adopt a holistic security posture, which includes multiple layers of protection, with a particular emphasis on addressing email security and phishing threats. By implementing these measures, companies can better protect themselves from the ever-evolving threat landscape posed by RaaS groups.