What you need to know about ransomware as a service attacks!

Ransomware attacks continue to be one of the main concerns for organizations. Cyber threat actors know the impact a successful ransomware attack represents for a company and continue to put efforts in developing their tools, techniques, tactics and procedure making huge profits out of their criminal activities. The business model of cyber-criminal groups involved in ransomware activities is in constant mutation and different groups implement different models.

Lately, another way to operate ransomware activities emerged. Like any start-up involved in developing and selling SaaS software. Some cyber threat actors developed ransomware as a service platform or RaaS. It permits them to focus on developing their malware and the playbooks to deploy and execute it successfully while letting affiliates execute the attacks in exchange of a percentage of the ransom. But, while the ransomware as a service model is quite new, the history of ransomware attacks covers slightly over 30 years.

In 1989, the AIDS trojan was detected. At this time, Ransomware-as-a-Service programs and data leak sites did not exist yet. This ancestor of the modern ransomware was really less sophisticated than its descendants. It was spreading using floppy disks, the encryption was really basic and crypto moneys were not even invented.

Nowadays, ransomware operators are on the top of the cybercriminal hierarchy and earn billions. According to Group-IB, more than 60% of all the incidents investigated in 2021 concerned ransomware.

In 2015, the attackers ‘focus shifted to corporate targets and in 2018 one of the most notorious Ransomware-as-a-Service affiliate programs dubbed “GandCrab” was born.

Later, the gangs Snatch and Maze innovated launching the first attacks based on a double extorsion model. They downloaded the victim’s data before encryption and published it on their own resource adding an extra pressure on the victims.

The use of the double extortion technique, the active development of the RaaS program market, and the increasing popularity of ransomware programs among cybercriminals have all contributed to the emergence of a real “Ransomware Empire”.

The situation in 2021 remained almost unchanged. Attackers mainly target the same types of companies that they believe to be the most profitable. They carefully choose their victim and perform methodological actions in order to compromise their victims ‘infrastructure. The RaaS market rapidly expanded and many financially motivated groups have shifted their focus to ransomware attacks.

One of the prominent actors in the RaaS industry, the Hive ransomware, is known to be one of the most challenging threats for organizations at the moment. This is also one of the most recent RaaS discovered that presents an impressive record of targets.

Between august 2021 and February 2022, the Hive ransomware was involved in at least 1264 attacks according to the trend micro research lab. According to the profile of the different victims and the amounts of the ransom asked, the revenue of the group behind the Hive ransomware is estimated to be between 3 and 4 billion USD. The attacks launched by the hive’s affiliates are targeting a wide area of companies in various industries with selective targets.

In addition, this group maintains a dedicated website named “Hive Leaks” where they leak the data of companies that refused to pay the ransom. Of course, companies that get their data leaked face different problems like being exposed to more fraud attempts, seeing customers exposed to these frauds, legal issues, and other collateral damages. Like many ransomware operators, the group behind the Hive RaaS understood how to benefit from the double extortion model.

The idea behind this model is simple but efficient: before the encryption, attackers exfiltrate critical data from a victim’s environment and, to maximize their chances of being paid, inform the victim about their intention to publish the data on the Internet if the victim refuses to pay. As you can imagine, the psychological impact of this model adds another layer to the threat.

On January 26 2023, the US and European authorities announced the result of an undercover operation during which the operations of the group behind the Hive ransomware were seriously hit. In July 2022 the website used by the ransomware gang to leak the victims ‘data was seized by the authorities. Later more infrastructure components were seized.

While this group’s operations are seriously damaged, we can be sure that other cyber-criminal groups will emerge. This is why, maintaining a clear strategy against ransomware attacks especially covering the techniques and tactics implemented by groups like the one behind the Hive RaaS is of paramount importance. It is always better to implement preventive and detective controls along with business continuity and recovery measures than to arrive at the latest stage of the kill chain when data is already gone.

One good way to protect organizations against ransomware threats is by learning how they operate and use this knowledge to implement preventive, detective and responsive controls tailored to the company’s operations. This is the mission of “The Threat Manager” review. To give you precise technical knowledge about cyber threats like the one posed by the many ransomware as a service actors.

The first report of 2023 is now available. In this report, we discuss the Hive Ransomware in detail, we demonstrate how the Hive’s affiliate operate from the moment they penetrate a victim’s infrastructure to the end of the attack when encryption happens.

This report gives technical details about how to prevent, detect and respond to the threat posed by ransomware actors. Do not wait to take the right measures to protect your business! Click on the button below to take your copy!

author: Luigi Scarpinati

Leave a Reply