What the Hive Ransomware Case Says About RaaS and Cryptocurrency

Earlier this year, law enforcement officials disrupted the operations of the Hive cybercriminal group, which profited off a ransomware-as-a-service (RaaS) business model. Hive is commonly thought to be affiliated with the Conti ransomware group, which is associated with a list of other groups including Royal, Black Basta, and Quantum. RaaS affiliates and their victims are all over the globe and they use myriad tactics and techniques. The Hive case tells us a lot about RaaS trends, how it relates to cryptocurrency, and how to defend against similar groups.

Hive, like other RaaS providers, wrote a ransomware encryptor, created a Dark Web domain, advertised its services to affiliates and forums, and then allowed users to purchase a license for its services to configure a ransomware payload and receive extortion funds. Generally, RaaS providers take a cut; it's typically a 75/25, 80/20, or 85/15 split (Hive was 80/20).

How Cryptocurrency Supports RaaS

Due to the borderless and almost instant nature of cryptocurrency, Hive, and every other ransomware group, still uses cryptocurrency. It's an anonymous system of transferring and instantly sending funds around the globe; no conversions or bank approvals are needed.

Whether it's priced high or low, cryptocurrency is the best and most effective avenue for ransomware operators to extract funds from victims. The price of cryptocurrency follows the path of Bitcoin (BTC). If BTC goes up, most others go up as well and, inversely, if the price goes down, everything else follows. When attackers breach a victim and demand a ransom, they alter the amount of cryptocurrency they ask for based on the current price of the token used. For instance, if a ransomware group wants to ransom a business for $50,000, they will convert that into the current token price and ask for that much.

While most cryptocurrency is traceable, many ransomware groups operate from countries whose governments will turn a blind eye to their wrongdoings as long as they prey on victims elsewhere. For example, many ransomware operators from Eastern Europe and Russia put logic in their malware's code to geolocate a victim's machine. The malware will terminate if it's in a country that is part of the Commonwealth of Independent States (CIS). This allows ransomware operators in these countries to deploy ransomware without worrying about being arrested.

Governments Are Stepping Up

The Hive case is unique in that a global, joint operation of federal authorities from several countries worked together to take down the infrastructure of a ransomware group. This was primarily possible because the Hive group's server infrastructure was partially in the United States.

The operation — and other recent takedowns of ransomware groups like REvil and DarkSide — demonstrates how governments are becoming more offensive in stopping threat actors. Law enforcement and cybersecurity agencies have realized that a purely defensive strategy isn't the best approach to tackling this issue.

Varying Tactics Complicate Security Challenges

Methodologies used in these attacks vary as different affiliates have different tactics, even within the same ransomware group. As every RaaS group has multiple tactics and techniques they can implement in various ways, it complicates the challenge security teams face in defending against them.

For security professionals, a good defensive posture should be holistic and include defense-in-depth mechanisms. For example, Hive affiliates have been known to breach organizations using Remote Desktop Protocol (RDP) without multifactor authentication (MFA), stolen credentials, phishing campaigns, and software vulnerabilities. There isn't a single solution to effectively tackle these issues; you'd need multiple solutions working synergistically to throw off attacks. Necessities include a policy to ensure MFA is on any authentication to your network (ideally a zero-trust network), multifactor license(s) if you don't have them, email security and phishing training, and a patch management system with comprehensive asset management behind it.

Checks and Balances

CL0P, another group, is known to breach software supply chain companies and then breach other companies that use them — deploying ransomware or exfiltrating data. Your defensive posture should be comprehensive and have a series of checks and balances to protect yourself from this kind of attack. If one solution fails, ideally, you'd want another to catch the misses or false positives. If I had to pick an essential key for companies to follow, it would be to tackle email security and phishing with training. Almost all threat actors disseminate malware through phishing emails and targeting — in fact, this is where most breaches start, according to Verizon's "2023 Data Breach Investigations Report."

Implementing a holistic security posture and employing defense-in-depth measures is the best approach to combatting RaaS groups, given their varied methods of attacks. Since most companies don't have the resources to throw money at solutions, a good starting place is tackling phishing and email security solutions.