The Hive ransomware group has taken credit for a cyberattack disclosed by Tata Power this month. In his comment below, Satnam Narang, Sr. Staff Research Engineer at Tenable who has done extensive research into the ransomware ecosystem shares his thoughts about how ransomware groups like Hive operate.
“The Hive ransomware group operates what is known as a ransomware-as-a-service (RaaS). Unlike traditional companies that operate software-as-a-service (SaaS), RaaS provides a subscription model for fledgling cybercriminals to become affiliates.
“Ransomware groups like Hive develop the ransomware, host the infrastructure, payment portals and negotiate with the victims, so for an affiliate, their only job is to find and infect organizations. To do this, affiliates use a variety of methods to breach organizations. These range from traditional spearphishing attacks, sending malicious emails to victim organizations, as well as through exploiting vulnerabilities in external facing assets. The payouts for successful attacks can range from 70% to 90%, making such attack campaigns extremely lucrative.
“Hive is one of the top five ransomware groups operating today. Ransomware groups have a limited lifespan, as they often close up shop, either due to the threat of law enforcement activity or because successful law enforcement actions have been taken against them. However, affiliates remain one of the key figures within the ransomware ecosystem, as they are often not the subject of law enforcement action. They do not serve a single ransomware group, rather, they can participate in a number of affiliate programs offered by other ransomware groups, allowing them to pivot to other groups when one closes up shop.
Satnam Narang, Sr. Staff Research Engineer, Tenable said, “While the attack against Tata Power is noteworthy, it doesn’t appear that the ransomware attack itself hinged on affecting any power grids. For groups like Hive and its affiliates, it is ultimately about leverage, which is why ransomware has evolved over the last several years to incorporate a technique known as double extortion, where groups will not only encrypt files across the systems of a victim, they’ll also steal data and threaten to leak it on the dark web. The threat to publish stolen data, which could include sensitive and proprietary information, adds additional pressure on victim organizations to potentially pay the ransom. For Hive and its affiliates, paisa bolta hai.”