HIVE Ransomware

CYPFER team has been engaged on HIVE cases since approximately April 2021. HIVE affliates do not distinguish between for-profit or not-for-profit organizations, criticail infrastructure or health institutes. Every organization is a target and ransom demands vary from very low to very high. The demand is dependent on the affiliate that conducted the attack and their analysis/perception of what the victim can pay.

Negotiations appear to be direct with the affiliate, hence it is critical to build an understanding and profile of the affiliate through communications. Once an agreement is reached, the affiliate will set the price on the web chat room that is dedicated to the victim and the victim must click the “accept” button in order to lock in the amount of cryptocurrency payable before the decryptor becomes available.

Unlockers for both ESXI/Linux and Windows are available depending on the attack.

In some instances the affliates may lock the victim organization from active directory in addition to encryption and data theft.

SUMMARY:

• HIVE operators are not limiting themselves to specific attack types, but have been seen exploiting both external Internet facing assets using some of the latest exploits such as Log4j but also using brute force of remote access capabilties. Some attacks were identified using phishing techniques to establish initial foothold. CYPFER identified that approximately 45% of HIVE matters are based on phishing attacks initially where possible an access broker is involved.
• COMMUNICATION PROTOCOLS: HIVE communications take place primarily over the group’s web-chat that is accessible through TOR. Each victim organization is provided with a unique LOGIN and PASSWORD to access the chat-room. The HIVE site is frequently slow, goes offline or does not function properly adding to possible delays.
• INITIAL DEMANDS: HIVE demands on average begin around $800,000. This number may vary between each matter as the demands are typically based on what the threat actors believe the company can afford to pay.
• FINAL DEMANDS: HIVE operators or affiliates have full decision control of the final amount. Discounts depend on a variety of factors including the ability to negotiate appropriately with the affiliates.
• DURATION: Negotiation durations with HIVE are relatively SLOW and can run from 5 days to 25 days.

DECRYPTION: HIVE decryptor is 92% effective in decrypting files. Speed of decryption is dependant upon a number of factors including hardware capabilities and size of encrypted files but is relatively FAST.

RECOVERY and REMEDIATION: CYPFER’s post breach recovery teams have worked a number of HIVE matters, and recovery of an environment while it depends on impact, hardware capacity and available resources will typically take 10-14 business days.