fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hive Ransomware Enters Big League with Hundreds Breached in Four Months

Hive Ransomware Enters Big League with Hundreds Breached in Four Months

The Hive ransomware gang is more active and aggressive than its leak site shows, with affiliates attacking an average of three companies every day since the operation became known in late June.

Security researchers gleaning information straight from Hive’s administrator panel found that affiliates had breached more than 350 organizations over four months.

The gang’s data leak site currently lists only 55 companies that did not pay the ransom, suggesting that a large number of Hive ransomware victims paid the ransom.

A conservative estimation places Hive ransomware gang’s profits into millions of U.S. Dollars between October and November alone.

Also Read: The Top 10 Best And Trusted List Of Lawyers In Singapore

Recruiting partners

Hive ransomware emerged in late June targeting companies in various sectors. While most of the non-paying victims on their leak site are small to medium-sized businesses, the gang also published files from larger companies with revenues assessed to be in the hundreds of millions.

A source has told BleepingComputer that Hive ransomware is also behind the recent attack on Virginia’s Division of Legislative Automated Systems (DLAS). However, we could not independently verify the information.

Analysts at cybersecurity company Group-IB investigating the Hive ransomware-as-a-service (RaaS) operation discovered that the group is “one of the most aggressive ones,” its affiliates hitting at least 355 companies by October 16.

The first publicly known attack from this gang was on June 23, against Canadian IT company Altus Group. At that time, it was unclear if Hive was a RaaS operation open to other cybercriminals.

Things became clear in early September when the group, through a user known as “kkk,” replied in a thread on “reputable” ransomware programs that they were looking for partners that already had access to company networks.

Hive ransomware representative promoting the RaaS
source: Group-IB

The message also included details about splitting the ransom money: 80% for affiliates, 20% for the developers.

The same user also provided technical information about the file-encrypting malware in a self-destructing note captured by Group-IB researchers.

Although “kkk” did not name the RaaS they were representing, the researchers say that the technical details provided made it clear that the actor was referring to Hive ransomware.

Also Read: The Importance Of Knowing Personal Data Protection Regulations

Hive ransomware features
source: Group-IB

Behind the Hive ransomware curtains

Group-IB obtained access to the Hive ransomware admin panel and started to collect information about the operation and how it worked.

It appears that the developers set everything up to make ransomware deployment and negotiations with the victims as easy and transparent as possible.

Affiliates can generate a malware version in up to 15 minutes and negotiations run via Hive ransomware admins, who pass the message to the victim in a chat window also visible to affiliates.

Hive ransomware victim chat window shared with admins and affiliate
source: Group-IB

Although the decryption software is provided after paying the ransom, some companies complained that the tool was not working properly and corrupted the Master Boot Record of virtual machines, making them non-bootable.

Hive ransomware chat with victim
source: Group-IB

In a report shared with BleepingComputer, Group-IB notes that the Hive ransomware administration panel shows affiliates how much money they made, the companies that paid and those that had their data leaked, and lets them store profiles for targeted businesses.

Hiver ransomware admin panel for affiliates
source: Group-IB

The researchers found that all affiliates have access to the company IDs in the Hive ransomware database, which is rather unusual.

Furthermore, the admin panels and the leak site are running through an API (Application Programming Interface), which Group-IB says has been seen with only two other ransomware groups: Grief and DoppelPaymer.

Looking closer at the API, the researchers found an error that allowed them to glean information about all Hive ransomware attacks, which also let them gauge how many companies paid these attackers.

According to their assessment, the threat actor hit 355 organizations by October 16; 104 victims negotiated with the attackers.

“Based on the analysis of company data obtained through API, the number of victims grew by 72% in less than one month. On September 16, the total number of records related to victim companies was 181. Just one month later, on October 16, the number increased to 312. Notably, 43 companies listed as victims in September disappeared from API in October, most likely after paying the ransom” – Group-IB

As for the money extorted from victims, Group-IB told BleepingComputer that they estimate the gang made at least $6.5 million from October to November.

Group-IB’s research into the ransomware business, recently published in the company’s recent report called “Corporansom: threat number one,” shows that about 30% of the victims choose to pay the threat actor.

Despite being more active than initially believed, Hive ransomware relies on common initial compromise methods, which include the following:

  • vulnerable RDP servers
  • compromised VPN credentials
  • phishing emails with malicious attachments

The attackers also deploy the encryption stage of the attack during non-working hours or over the weekend, which is typical for most ransomware attacks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us