Rising ransomware gang Hive has struck Perusahaan Gas Negara (PGN), Indonesia’s state-backed oil and gas company. The cyber attack comes days after the gang claimed responsibility for an attack on a US healthcare provider, and shows businesses should be on their guard against the growing threat posed by the group, particularly to the healthcare sector.
News of the attack on PGN broke on Sunday morning. Though the company has yet to respond publicly to the reports, its website has been down ever since.
The Indonesian government holds a majority stake in PGN, which provides gas to 84 million customers.
🌐 Hive #Ransomware team ransomed another huge energy company 🚨
— DarkFeed (@ido_cohen2) April 3, 2022
Perusahaan Gas Negara is a state-owned natural gas company operated by the Indonesian government with $3 billion in revenue from Indonesia 🇮🇩#Hive pic.twitter.com/WTw5nsaicF
Who are the Hive ransomware gang?
First spotted by security researchers last June, Hive had targeted 355 victims by the end of 2021, according to a report by cybersecurity company Group IB.
It has been indiscriminate about going after organisations in the private and public sectors, says Diana Selck-Paulsson, lead security researcher at Orange Cyberdefense. “What sticks out about them is that they really do impact the healthcare sector more than any other group,” says Paulsson. “The main countries they are hitting are the US, UK, Spain and Turkey and there have been at least 16 attacks this year that we know of.”
Hive’s most high-profile victims include European consumer electronics retailer MediaMarkt in November 2021, where Hive demanded $50m in Bitcoin, and an attack on the Memorial Health System in Ohio last August, which disrupted clinical and financial operations and reportedly caused urgent operations to be cancelled.
On Friday, Hive announced it had struck at healthcare provider Partnership HealthPlan of California, stealing 85,000 patient records and rendering the organisation incapable of receiving or processing treatment authorisation requests for new patients.
How does the Hive ransomware gang operate?
Hive has been known to use double extortion techniques to coerce its victims into paying a ransom for the decryption key and the return of stolen data, according to a report from cybersecurity company Trend Micro.
It has a wide range of initial access tactics which allow it to gain entry to the systems of victims says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. “The most common method appears to be Cobalt Strike implants delivered through phishing emails,” Morgan explains. “The dropped Cobalt Strike beacons are then used to maintain persistence, move laterally across the victim’s network, and upload the Hive ransomware payload”
The gang’s tactics are very fast and difficult to reverse-engineer, he adds. “Although the operators of the ransomware appear to use common tactics in initial access and lateral movement, the payload of the ransomware itself is reportedly an in-house developed piece of malware written in the Go programming language which allows for fast encryption speeds,” Morgan says. “The design of the ransomware requires input from the command line, indicating that it is meant to be run by an operator or a script requiring desired parameters.”
An additional problem in combating Hive is that malware written in Go is “difficult to reverse-engineer”, Morgan adds, making it difficult to combat. “Reverse engineering tools can do a great job analysing binaries that are written in more popular languages, however, Go creates new challenges that make the analysis more cumbersome,” he explains.