Ransomware-as-a-Service gang Hive is ramping up its activity according to the FBI, with over 1,300 businesses around the world falling victim to its malware.

FBI warns that RaaS gang Hive is vamping up its activity (Photo by Sushaaa/Shutterstock)

“As of November 2022, Hive ransomware actors have victimised over 1,300 companies worldwide, receiving approximately $100m in ransom payments,” a newly release advisory on the gang’s activities says.

Why is there a buzz around Hive ransomware?

The FBI joined the US Centre for Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) in a joint alert to warn organisations about the dangers Hive ransomware can pose, and the ways it is deployed.

Cybercriminals have used the gang’s code to target a range of industries including government facilities, critical manufacturing, information technology and “especially healthcare providers and public health organisations.

The FBI says Hive is garnering access to victim networks by using single factor logins via remote desktop protocol and virtual private networks. Criminals using Hive ransomware have also bypassed multi-factor authentication and exploited common vulnerabilities to gain access into systems. 

It has also been known to gain access by administering phishing emails with malicious attachments, and by exploiting Microsoft Exchange Server vulnerabilities CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523. The gang removes all antivirus protection before encryption. 

Hive’s trail of destruction across UK schools and around the world

In the UK, Hive has been used to target the education sector. Six schools serving 4,500 pupils were impacted when the malware was used in an attack on the Scholar’s Education Trust in September. A month earlier, criminals had demanded a ransom of £500,000 from the Wooton Academy Trust in Bedfordshire after breaching its systems.

The same month the gang hit a French telecommunications giant Altice, while in July, the gang went on a spree, hitting seven companies. These included frozen food specialists Exala, IT consultancy AdaptIT and US marketing firm Authentic Brands Group. This followed an attack which saw cybercriminals using Hive hit the Indonesian gas giant PGN in April and

Hive has been deployed against myriad health organisations, too. The HHS released a report earlier this year warning the public that the group was in the top five most prolific ransomware gangs in the healthcare and public health (HPH) sector in the first quarter of this year. Hive was responsible for 11% of the total attacks in HPH worldwide that quarter, the report said.

The gang’s tactics are very fast and difficult to reverse engineer, explained Chris Morgan, senior cyberthreat intelligence analyst at security company Digital Shadows, to Tech Monitor earlier this year. “Although the operators of the ransomware appear to use common tactics in initial access and lateral movement, the payload of the ransomware itself is reportedly an in-house developed piece of malware written in the Go programming language which allows for fast encryption speeds,” Morgan said.

Read more: Hive decryption key released as gang evolves its tactics