The main factors behind the rise of the ransomware empire were the use of the double extortion technique based on DLS, the active development of the RaaS program market, as well as the increasing popularity of ransomware programs among financially cybercriminals who used to have a more difficult way to make money.
According to the "Hi-Tech Crime Trends 2021/2022. Part II. Corporansom: threat number one
" released earlier in the day, the number of victims whose data has been published on DLSs has grown by unprecedented 935% from 229 to 2,371 during the period from H2 2020 to H1 2021 compared to the corresponding period a year earlier. Despite the "protests" of several underground forum administrators united by the "No more ransom!" motto, in the review period, 21 new partner programs emerged, which is a 19-percent increase year-on-year.
As the entire world was watching REvil's forced rebranding, the victim count of ransomware Hive, which appeared in June 2021, continued to surge. If one tried to evaluate Hive's private affiliate program based on the number of victims whose data was released on DLS (48), they wouldn't be impressed.
On closer examination, this RaaS program turns out to be one of the most aggressive ones, with Hive operators using the most urgent methods of pressure on the target organizations and distinctive TTPs, which arу worth being examined.
For technical experts, the blog post authors have included dedicated parts with info on methods and approaches that can be used to hunt for Hive operators. They also present a comprehensive analysis of the Hive ransomware sample, indicators of compromise, and YARA rules, which should help analysts identify the Hive attacks.
Hive affiliates have been busy as bees: the actual number of their victims is in the hundreds despite the fact that the affiliate program has been active less than half a year. Due to Hive DLS's specific characteristics and its admin panel, Group-IB Threat Intelligence analysts have managed to determine that as of October 16, 2021, at least 355 companies fell victim to the threat actor.
Hive affiliates resort to various initial compromise methods: vulnerable RDP servers, compromised VPN credentials, as well as phishing emails with malicious attachments. The data encryption is often carried out during non working hours or at the weekend. Taking into account that Hive targets organizations from various economic sectors from all around the world and their attacks are manually controlled by the affiliates, it's crucial to closely monitor the changes in TTPs of these ransomware operators.
Group-IB Digital Forensics and Threat Intelligence teams have analyzed the latest available samples of Hive and for the first time analyzed the affiliate program from the inside, having tracked down it to its creation.
More information about RaaS affiliate programs, the most noticeable ransomware samples, tactics, techniques, and tools used by threat actors, as well as events in the dark web that led to the rise of the ransomware empire can be found in "Hi-Tech Crime Trends 2021/2022. Part II. Corporansom: threat number one