The Hive ransomware group is more active and aggressive than its leak site suggests, with affiliates targeting three organizations on average every day since the discovery of operation in late June. For four months, security researchers extracting information directly from Hive’s administrator panel found that affiliates had infiltrated more than 350 companies.
Only 55 firms are listed on the gang’s data breach site as not paying the extortion, implying that a vast proportion of Hive ransomware victims paid the payment. According to a conservative estimate, the Hive ransomware group made millions of dollars in revenues between October and November.
Hive ransomware first appeared in late June, attacking businesses in various industries. While the majority of the non-paying victims on their leak site are small to medium-sized organizations, the gang also exposed information from larger corporations with estimated sales in millions of dollars.
A source revealed that Hive ransomware was also used in the recent attack on Virginia’s Division of Legislative Automated Systems (DLAS). However, the information couldn’t be verified independently. Analysts at cybersecurity firm Group-IB found that the Hive ransomware-as-a-service (RaaS) operation is “one of the most aggressive,” with its affiliates infecting at least 355 businesses by October 16.
Group-IB gained access to the Hive ransomware admin panel and began gathering data on the operation and how it operated. Everything appears to have been put up by the authors to facilitate ransomware distribution and discussions with victims as transparent and straightforward as possible. Affiliates may create a malware version in as little as 15 minutes, and negotiations are handled by Hive ransomware administrators, who send the message to the victim in a chat window that affiliates can see.
Even though the decryption software is delivered once the ransom is paid, several businesses have reported that it does not operate correctly and has ruined the Master Boot Record of virtual machines, rendering them unbootable. According to Group-IB, the Hive ransomware admin panel tells affiliates how much money they made, the firms that paid, and whose data was disclosed. It also allows them to keep profiles for targeted enterprises.
The researchers discovered that all affiliates had access to the Hive ransomware database’s corporate IDs, which is uncommon. Moreover, the admin panels and the leak site are controlled via an API, which Group-IB claims has only been viewed by two other ransomware groups: Grief and DoppelPaymer.
The researchers discovered a vulnerability in the API that allowed them to obtain information on all Hive ransomware incidents and how many firms paid the attackers. According to their estimates, the threat actor had attacked 355 entities by October 16; 104 had been compromised. In terms of the money extorted from victims, Group-IB claims the gang made at least $6.5 million between October and November.
According to Group-study IB’s on the ransomware industry, which was recently released in the company’s paper “Corporansom: threat number one,” roughly 30% of victims chose to pay the threat actor.