Dubai Telegraph - Hive ransomware: modern, efficient business model

EUR -
AED 3.891654
AFN 72.048269
ALL 98.156894
AMD 412.125334
ANG 1.909718
AOA 966.819702
ARS 1061.363933
AUD 1.621899
AWG 1.9013
AZN 1.805203
BAM 1.962133
BBD 2.139505
BDT 126.628699
BGN 1.956713
BHD 0.399389
BIF 3071.046762
BMD 1.05953
BND 1.419522
BOB 7.348927
BRL 6.112848
BSD 1.05965
BTN 89.487358
BWP 14.41653
BYN 3.467692
BYR 20766.781626
BZD 2.135954
CAD 1.478944
CDF 3040.850323
CHF 0.934955
CLF 0.037296
CLP 1029.110366
CNY 7.670144
CNH 7.664733
COP 4658.222215
CRC 538.653778
CUC 1.05953
CUP 28.077536
CVE 110.853302
CZK 25.289492
DJF 188.299669
DKK 7.458655
DOP 64.108714
DZD 141.178959
EGP 52.487722
ERN 15.892945
ETB 129.024183
FJD 2.399358
FKP 0.836305
GBP 0.835397
GEL 2.887188
GGP 0.836305
GHS 16.834192
GIP 0.836305
GMD 74.692382
GNF 9143.740937
GTQ 8.180635
GYD 221.585175
HKD 8.247008
HNL 26.673653
HRK 7.5579
HTG 139.199271
HUF 408.451175
IDR 16789.995921
ILS 3.966074
IMP 0.836305
INR 89.43633
IQD 1388.513639
IRR 44611.496516
ISK 145.49491
JEP 0.836305
JMD 168.062428
JOD 0.751521
JPY 163.89967
KES 137.211295
KGS 91.657202
KHR 4291.095354
KMF 492.442897
KPW 953.576306
KRW 1476.544665
KWD 0.325615
KYD 0.88305
KZT 525.822
LAK 23256.676351
LBP 94880.882412
LKR 308.295035
LRD 191.510041
LSL 19.155914
LTL 3.128516
LVL 0.640899
LYD 5.160237
MAD 10.5688
MDL 19.258156
MGA 4937.408272
MKD 61.523239
MMK 3441.311054
MNT 3600.281778
MOP 8.495018
MRU 42.291155
MUR 49.035374
MVR 16.369686
MWK 1839.343944
MXN 21.317634
MYR 4.739236
MZN 67.767438
NAD 104.930498
NGN 1779.321396
NIO 38.937398
NOK 11.628546
NPR 143.180174
NZD 1.79203
OMR 0.407938
PAB 1.05965
PEN 4.020923
PGK 4.261402
PHP 62.380335
PKR 294.338605
PLN 4.333959
PYG 8252.635715
QAR 3.857219
RON 4.977683
RSD 117.007017
RUB 106.560676
RWF 1451.555654
SAR 3.977625
SBD 8.867754
SCR 14.395509
SDG 637.307936
SEK 11.567235
SGD 1.41737
SHP 0.836305
SLE 23.998292
SLL 22217.812533
SOS 605.501854
SRD 37.654097
STD 21930.125086
SVC 9.271926
SYP 2662.099944
SZL 19.15627
THB 36.585466
TJS 11.263754
TMT 3.718949
TND 3.334869
TOP 2.481527
TRY 36.537562
TTD 7.195427
TWD 34.298568
TZS 2811.972625
UAH 43.746594
UGX 3901.592547
USD 1.05953
UYU 45.486811
UZS 13588.468184
VES 48.506918
VND 26917.351388
VUV 125.789492
WST 2.957773
XAF 658.099677
XAG 0.033918
XAU 0.000403
XCD 2.863432
XDR 0.806001
XOF 656.908534
XPF 119.331742
YER 264.779053
ZAR 19.150573
ZMK 9537.040727
ZMW 29.27331
ZWL 341.168123
  • CMSC

    -0.0590

    24.565

    -0.24%

  • JRI

    0.0300

    13.26

    +0.23%

  • BCC

    -3.3600

    138.18

    -2.43%

  • RIO

    0.3100

    62.43

    +0.5%

  • SCS

    -0.1100

    13.09

    -0.84%

  • NGG

    0.6800

    63.58

    +1.07%

  • BTI

    0.2500

    36.93

    +0.68%

  • RBGPF

    -0.4400

    59.75

    -0.74%

  • GSK

    -0.2300

    33.46

    -0.69%

  • AZN

    0.4100

    63.8

    +0.64%

  • CMSD

    -0.0460

    24.344

    -0.19%

  • RYCEF

    -0.1600

    6.69

    -2.39%

  • RELX

    0.2500

    45.29

    +0.55%

  • BCE

    0.0800

    27.31

    +0.29%

  • BP

    -0.3300

    29.09

    -1.13%

  • VOD

    0.0000

    8.92

    0%

Hive ransomware: modern, efficient business model
Hive ransomware: modern, efficient business model / Photo: NICOLAS ASFOURI - AFP/File

Hive ransomware: modern, efficient business model

The US Justice Department's shutdown Thursday of the Hive ransomware operation -- which extorted some $100 million from more than 1,5000 victims worldwide -- highlights how hacking has become an ultra-efficient, specialized industry that can allow anyone to become a cyber-shakedown artist.

Text size:

- Modern business model -

Hive operated in what cybersecurity experts call a "ransomware as a service" style, or RaaS -- a business that leases it software and methods to others to use in extorting a target.

The model is central to the larger ransomware ecosystem, in which actors specialize in one skill or function to maximize efficiency.

According to Ariel Ropek, director of cyber threat intelligence at cybersecurity firm Avertium, this structure makes it possible for criminals with minimal computer fluency to get into the ransomware game by paying others for their expertise.

"There are quite a few of them," Ropek said of RaaS operations.

"It is really a business model nowadays," he said.

- How it works -

On the so-called dark web, providers of ransomware services and support pitch their products openly.

At one end are the initial access brokers, who specialize in breaking into corporate or institutional computer systems.

They then sell that access to the hacker, or ransomware operator.

But the operator depends on RaaS developers like Hive, which have the programming skills to create the malware needed to carry out the operation and avoid counter-security measures.

Typically, their programs -- once inserted by the ransomware operator into the target's IT systems -- are manipulated to freeze, via encryption, the target's files and data.

The programs also extract the data back to the ransomware operator.

RaaS developers like Hive offer a full service to the operators, for a large share of the ransom paid out, said Ropek.

"Their goal is to make the ransomware operation as turnkey as possible," he said.

- Polite but firm -

When the ransomware is planted and activated, the target receives a message telling them how to correspond and how much to pay to get their data unencrypted.

That ransom can run from thousands to millions of dollars, usually depending on the financial strength of the target.

Inevitably the target tries to negotiate on the portal. They often don't get very far.

Menlo Security, a cybersecurity firm, last year published the conversation between a target and Hive's "Sales Department" that took place on Hive's special portal for victims.

In it, the Hive operator courteously and professionally offered to prove the decryption would work with a test file.

But when the target repeatedly offered a fraction of the $200,000 demanded, Hive was firm, insisting the target could afford the total amount.

Eventually, the Hive agent gave in and offered a significant reduction -- but drew the line there.

"The price is $50,000. It's final. What else to say?" the Hive agent wrote.

If a target organization refuses to pay, the RaaS developers hold a backup position: they threaten to release the hacked confidential files online or sell them.

Hive maintained a separate website, HiveLeaks, to publish the data.

On the back end of the deal, according to Ropek, there are specialist operations to collect the money, making sure those taking part get their shares of the ransom.

Others, known as cryptocurrency tumblers, help launder the ransom for the hacker to use above-ground.

- Modest blow -

Thursday's action against Hive was only a modest blow against the RaaS industry.

There are numerous other ransomware specialists similar to Hive still operating.

The biggest current threat is LockBit, which attacked Britain's Royal Mail in early January and a Canadian children's hospital in December.

In November, the Justice Department said LockBit had reaped tens of millions of dollars in ransoms from 1,000 victims.

And it isn't hard for Hive's operators to just start again.

"It's a relatively simple process of setting up new servers, generating new encryption keys. Usually there's some kind of rebrand," said Ropek.

U.Siddiqui--DT