View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 4, 2022updated 31 Jul 2023 9:40am

Hive ransomware gang strikes Indonesian gas giant PGN

With two victims in a matter of days, Hive is one of the most active ransomware gangs around.

By Claudia Glover

Rising ransomware gang Hive has struck Perusahaan Gas Negara (PGN), Indonesia’s state-backed oil and gas company. The cyber attack comes days after the gang claimed responsibility for an attack on a US healthcare provider, and shows businesses should be on their guard against the growing threat posed by the group, particularly to the healthcare sector.

PGN is the latest victim of prolific RaaS gang Hive. (Photo by Bloomberg/Getty Images)

News of the attack on PGN broke on Sunday morning. Though the company has yet to respond publicly to the reports, its website has been down ever since.

The Indonesian government holds a majority stake in PGN, which provides gas to 84 million customers.

Who are the Hive ransomware gang?

First spotted by security researchers last June, Hive had targeted 355 victims by the end of 2021, according to a report by cybersecurity company Group IB.

It has been indiscriminate about going after organisations in the private and public sectors, says Diana Selck-Paulsson, lead security researcher at Orange Cyberdefense. “What sticks out about them is that they really do impact the healthcare sector more than any other group,” says Paulsson. “The main countries they are hitting are the US, UK, Spain and Turkey and there have been at least 16 attacks this year that we know of.”

Hive’s most high-profile victims include European consumer electronics retailer MediaMarkt in November 2021, where Hive demanded $50m in Bitcoin, and an attack on the Memorial Health System in Ohio last August, which disrupted clinical and financial operations and reportedly caused urgent operations to be cancelled.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

On Friday, Hive announced it had struck at healthcare provider Partnership HealthPlan of California, stealing 85,000 patient records and rendering the organisation incapable of receiving or processing treatment authorisation requests for new patients.

How does the Hive ransomware gang operate?

Hive has been known to use double extortion techniques to coerce its victims into paying a ransom for the decryption key and the return of stolen data, according to a report from cybersecurity company Trend Micro.

It has a wide range of initial access tactics which allow it to gain entry to the systems of victims says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. “The most common method appears to be Cobalt Strike implants delivered through phishing emails,” Morgan explains. “The dropped Cobalt Strike beacons are then used to maintain persistence, move laterally across the victim’s network, and upload the Hive ransomware payload”

The gang’s tactics are very fast and difficult to reverse-engineer, he adds. “Although the operators of the ransomware appear to use common tactics in initial access and lateral movement, the payload of the ransomware itself is reportedly an in-house developed piece of malware written in the Go programming language which allows for fast encryption speeds,” Morgan says. “The design of the ransomware requires input from the command line, indicating that it is meant to be run by an operator or a script requiring desired parameters.”

An additional problem in combating Hive is that malware written in Go is “difficult to reverse-engineer”, Morgan adds, making it difficult to combat. “Reverse engineering tools can do a great job analysing binaries that are written in more popular languages, however, Go creates new challenges that make the analysis more cumbersome,” he explains.

Read more: Ransomware is making cyber insurance harder to buy

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.