Analysing the RaaS business model

Victor Acin at Outpost24 describes the Hive Ransomware Group and explains how ransomware-as-a-service works

 

Having good ‘customer service’ is not something you’d associate with ransomware groups on the dark web. Nor do you expect them to have a great ‘tech stack’ or proper business know-how. Instead, the classic image of a group of individuals in hoodies comes to mind.

 

Well, the Hive ransomware gang does away with these old misconceptions. Widely considered to be among the most powerful and dangerous ransomware groups, Hive’s success is largely down to their business structure, which could be considered somewhat unique.

 

Who is Hive?

To begin with, Hive is a ransomware as a service (RaaS) operator that was discovered in 2021. While they have not been operating for long, their techniques, tactics and malware variants have propelled them to the forefront of modern cyber-crime activity and becoming one of the most prominent RaaS providers in the market.

 

But what sets them apart as a criminal ‘business’ is a variety of factors including their advanced ransomware kits, negotiation techniques and how they interact with their customers.

 

The Hive group uses a modern application programming interface (API) system which is advantageous when creating the architecture of a RaaS. For example, when one database is used that connects with a variety of portals via an API request from one source, hackers can extort and retrieve ransoms faster and in a more efficient manner. The system created is unique, designed to be streamlined and split into three portals: affiliate, victim and data leak site.

 

The portal elements

Digging deeper into each aspect of the portal will give you a better understanding of why the Hive RaaS is popular in the nefarious cyber-underworld.

 

Affiliate portal: This area of the Hive RaaS system allows affiliates to control the main aspects of the operation from creating the malware package, managing payments, the victim list and the data that’s been stolen. Typically, there are nine steps an affiliate must go through to carry out a successful ransomware attack when using the Hive portal.

 

Research into the intended target is also required before creating the malware in order to gain the most rewards. Once complete, the malware can be deployed to the targeted company.

 

The portal can then alert the affiliate as to when stolen files are on the system and have been encrypted. At this point the victim has received the ransomware message with the victim portal which is where negotiations start.

 

When a Hive RaaS is purchased, the customer or ‘affiliate’ company is provided with the affiliate portal where they can generate a malware sample of their choice and assign their target. The affiliate is then provided with credentials to access the victim portal – this process is centralised and automated to allow more time for hazardous links to be added to stolen data in the portal to trick the target and possibly lead to double extortion.

 

If the victim refuses to pay the ransom to get their information back, then the Hive platform will automatically send the stolen information to a designated leak site. Why Hive is so popular is the fact a threat actor can design their malware, assign and extort the target and leak the data all from one platform.

 

Victim portal: Here the information relating to the ransomware victim can be accessed with prompts to varies services like contacting the sales department, decryption services as well as a live chat feature. It is designed to be user-friendly – akin to what you’d find on the website of your favourite retailer. The only difference is information and money are being stolen.

 

Once the victim has the ransomware infected on its systems, the ransom note appears containing a TOR link to the Hive victim portal along with log in details for the victim to access it.

 

Leak site: Hive has its own leak site called “HiveLeaks” and is found on the dark web, with access granted to anyone that has the TOR URL. There is even a countdown timer to alert victims when they need to pay the ransom by. Failure to do so will often lead to double extortion attacks.

 

Ransomware service with a smile

While the Hive API portal system is certainly unique, the fact they have dedicated customer service and helpdesk functions really puts this RaaS provide above all others. Having live chat interactions between customers, businesses, victims and the hackers can ensure that help and guidance is provided throughout the entire ransomware process – from testing to decryption.

 

Moreover, the admins behind the customer service and helpdesk are found to be professional, friendly and helpful, which boosts the chances of having a victim payout.

 

What can organisations do to avoid being a victim?

Having a strong foundation of good cyber-security hygiene practised by the workforce will always put the enterprise in a better position to handle threats. In addition to this, having a layered approach to security will reinforce the defences so ensure the following are being deployed or utilised to mitigate initial access risk: security awareness training, vulnerability management tools and regular pen-testing.

 

Without a doubt, RaaS providers, like the Hive Group, will continue to evolve and develop their tactics and offerings to engage with more future prospects. It is therefore up to organisations to take the necessary steps to ensure any risks posed are kept to a minimum with any security gaps fixed accordingly.

 

---

 

Victor Acin is Threat Intelligence Labs Manager at Outpost24

 

Main image courtesy of iStockPhoto.com