Welcome to a pentest people tech bite. Your headline today, the FBI has announced that the infamous hive ransomware group has been brought to justice. The Hive ransomware follows the ransomware as a service. This is a business model which ransomware is sold or rented to buyers known as affiliates. Hives efforts have been disrupted. The Justice Department announced that after fighting to put an end to the hive ransomware group for months, they have finally now disrupted its efforts. On today's podcast. I have consultants, Amy and Louie. Appreciate your time, guys. So what can you both tell us about this hive ransomware group?
So I think overall, what we can see is that, as of June 2021, Hive have targeted more than 1500 victims, and I think received about 100 million in ransom payments. And so yeah, I mean, it kind of they kind of had a daily operation around affecting sort of a lot of people around the pandemic. I think Louise got a little bit more on the first attack.
I do. Yeah. So they effectively targeted as Amy said, multiple different groups, mainly based in Western countries. Like, for example, the US. The first attack has been mentioned was in 2021. Atlas group, I believe that's right. It was basically their commercial real estate. There was an answer was breached. And it was hive, the factory took responsibility, as Erin said, joined the pandemic as well. They breached multiple US health services, as well as the Far East and Japan, they've also targeted those as well.

‍
Yeah, so it does seem like largely a lot of the health systems in the US has been affected. And but I wouldn't say that's the only, you know, only only victims. They've just been a quite big portion of the ransomware. But it was about I don't know, about 20 countries, I think at least a first Hi ransomware attacks, according to leaks. And but yeah, there's loads. I think there's I mean, as an example, in August 2021, a health system in Ohio suffered a really big loss. And they were they were a nonprofit health system, I believe. And it put their emergency departments on sort of diversion due to IoT failure. Which, obviously, I mean, anyone but especially health systems, it's just, you know, horrible.
And what action did the FBI take against the hive group?

‍
Yeah. Okay. So, in July 2022, the FBI along with multiple other European organisations, the Germans, French Lithuanians, again, Polish, multiple different European countries, as well as the FBI combined together to take down the hive ransomware. And they effectively compromised their network and captured all the decryption keys, which effectively made the ransom pointless because the keys could always just be decrypted.
Yeah. So I think they it's it's roughly online, it says about 300 keys were provided to victims that were currently under attack, and about approximately 1000 previous victims. So anyone who either paid or didn't pay the ransom, where to get either the files or not. They were also assisted. And as we said, though, it was in coordination with a bunch of enforce that, you know, different law enforcement's such as the German Netherlands. Yet the honour honestly,
yeah, it was under the Europol group, which effectively combines all of the European police forces, a bit like Interpol, but specifically based video opions. So
well, I guess one thing to take away is it although it was only recently announced that this services have been stopped, the FBI had actually compromised them earlier, gathering information as such capturing the decryption keys and sort of quietly helping the victims, obviously, old ransomware groups are dangerous, but what has made this ransomware group so dangerous?

‍
So I think you mentioned that at the start the sort of the new ransomware as a service, but they do what's called a double extortion technique. So when they go in and compromise the network, they collect the files so they can leak as a sort of a almost like blackmail, that they're going to leak them online, make them available, but also encrypt them. So it's a double extortion, you can't have your files and if you don't pay as well to get them unlocked and, you know, give them back to you. We will also make them online available for everybody to see. So it's sort of a well established double extortion technique. And it's sort of gives an incentive for victims to pay up because is not only there, they've lost a lot of files and data and potentially you know, that's stopped their services, whatever the company may be, it's also might be embarrassing, you know? Well, I mean, you can get a lot of fines currently for gdrp, and
things like that previously, I guess what will happen in some cases is that ransomware would effectively just target a system and lock it all down. But it wouldn't be essentially anything that just lock it down in Oscar and some. However, if let's see, I'd well established backups, you could effectively wipe the system and start again, and that would get rid of the ransomware. Or at least that would be the hope. But with this double, double extortion technique, even if he did that it's still legal information online. And then you have the GDPR to contend with to.

‍
Yeah, exactly.
So we'll have downfall deter other ransomware groups.

‍
I mean, my main sort of takeaway, and as me and Louis, sort of researching this and looking into it a bit. I guess my my thoughts on it is, I would hope so. But it would be a bit too optimistic to say that. But of course, do we add a few more points to make in that regard?
Well, I think like, especially if you sort of groups is that I like take the idea of trying to kill the Hydra mythical pieces if you kill one head effectively to more pop up in its place. So the group's effectively splinter. And so it's a different sort of organisations. And especially with cases like this, a lot of run small groups are becoming nation backed, which makes them a lot harder to take down. And if they have the funding of a particular country, then it can be even more difficult. I think,what Louie means by nation factors, we can't say for certain, but there are definitely are what seems like sort of hackers and groups in Russia that if they were to sort of cause any issues for Americans, or anyone really, it's very unlikely that they would suffer any consequences wishes not really gonna send them out to America, you know, to serve sentences. And as Louis said, I mean, you cut off one head and five more pop back up. And I guess, for example, cutting it sort of getting rid of hype service, what what's to say the cart just set up another one.
True. When ransomware group breaks down, there are concerns the low level sharks of the group will disband and start targeting smaller businesses on their own. Is this something organisations need to look out for?
Yeah, I think it's something that becomes a little bit in industry snowflake groups effectively split up and rather than having one big group effectively targets one organisation after whatever let's say don't pick out the US healthcare, industry and target there is if you have like two or three different groups that there's no they can just do whatever they want. Very one can target the US the UK and let's say target of European, so maybe people in East Asia. So yeah, activity, I feel like organisations should always be careful with this sort of stuff. But perhaps more so now.

‍
I mean, there's nothing stopping the people who did this, that were with hive, doing it, as a new as a new sort of group or individually possibly, is just like, for like anonymous, for example. I mean, they're not obviously known for ransomware they're more more known as activists or something like that. But that's just people that there's no you know, one group that it could be anyone anywhere and nothing stops you from I guess, carrying their work.
And what does the future look like for ransomware groups for example, lock bid and Blackcats sort of people effective grasping the grips changed over time. So right if we look back at the first one, somewhere it was affected use them floppy disks were sent off to different mailing addresses and that plug in these floppy disks ransom system. And then you have like a few years ago, for example, one a cry, which was downloaded via phishing, and then was spread via worm. And I was using eternal blue exploit and SMB. And now you have even more sophisticated encryptions and for example, the double extortion technique used by Hive I feel like that they'll continue to use that sort of technique as it's tried and tested and it works quite well a you have the if you don't pay the date of answer you're not going to get your bounce back and also a leak everything to the internet to
think you've got a really good example a really funny one with the floppy disks. Imagine turning up somewhere with that for a client I don't think you're gonna get very far with a floppy disk nowadays. But no Louise completely right. I think with technology, all these sort of attacks are gonna develop. But I think what does it look like for the future? It's a really good question. I think ransomware groups should you know, keep this in mind because you the list. There's about 14 authorities that I've got here that were involved in taking down hive I mean, if these Bharti in different countries can band together and you know, to take down this group there I think anything's really possible
interesting point of view. To actually is about loyalty within these ransomware groups a famous ransomware. Good called Conte when Russia Ukrainian War started almost a year ago today, they effectively said that we support the Russian invasion of Ukraine. There were Ukrainians within the contact group that were a little bit upset about that. And they actually leaked all of where pretty much all of their data is sort of a response. So you can see that perhaps in the future, there have been some OH group split up some, perhaps based on national ties or some notes.

I've read this somewhere online. I'm not sure. I can't see who it was for sure. But there's some sort of talk about certain ransomware that don't target. So post Soviet countries, you know, like Lithuania used to be in the Soviet Union. They're one of the countries that doesn't get targeted by certain Russian hackers, because they used to be in the Soviet Union. And I'm pretty sure the reason that is, is because there might be some Lithuanians in the group who refuse to target their own country. And I mean, yeah, so it. Yeah.

‍
Going back to what you said, Amy, about how setting up another group? How soon could they possibly set up another group? And how soon for the FBI take them down?
I think it really depends, because I can imagine there's quite a bit of infrastructure in place to sort of set things like that up. But I mean, what's to say the don't already have a backup plan, what's to say? They don't have something similar. I mean, they might not necessarily pop up as hive again. I mean, that could be really obvious, or there's a potential that the FBI could already know about that, or may have already taken down any backup plans. But it could, it could be almost instant. And we wouldn't really necessarily know unless the FBI were able to collect that information. Or it could take ages, because I'm pretty sure there was a lot of servers that were seized in different countries, and I can't imagine servers aren't free. So yeah, this is quite hard to see it, specifically.
And what can people do to mitigate the risks or ransomware attacks, I feel like the main domain with people get one simple, it's still it's a spy, social engineering, let's see, if someone's trying to target an organisation one of the easiest ways to do it is send them a link, download the link and then spread them on somewhere across the organisation. So social engineering training is probably the most ideal training people not to open dodgy email links, training people to report them as spam or report them of the organisation to their IT team. Of course, keeping updated antivirus software and keeping your systems up to date can always help or be that sort of a last resort mitigation. But it can potentially stand the flow, I think anything that sort of gives you a foothold on somebody's network, whether it be a small or a big one, like you said, social engineering is just kind of the keys to the kingdom, if you can get someone to give you information over the phone or over email. And I mean, that's it really isn't it, then you've got access. But yeah, as Louis said, sort of antivirus systems and things like that. But I'd say patching as well, you see sort of low level hanging fruit that you could take, just because something is out of date, it might have a well known online publicly known vulnerability that you can exploit and get some sort of user or something like that. And from there, nothing stopping you, you know, encrypting all the files and taking them all so. But there's, there's a lot and as we discussed in previous podcasts to sort of, you know, fishing, well known emails, and, you know, trying to avoid clicking anything really suspicious. But yeah, I think there's quite key things, I'd say that one or another important point is that in terms of mitigation, it's assumed that the attacks already happened in a worst case scenario is that, by default, up to date backups of everything, then even if you do get ransomware, in theory is everything at least you haven't lost all the progress to you have a backup, or other systems in place. And if you can do that externally, too, then it means that it's also likely not going to be tight.

‍
I think one of the best points is the don't keep personal and sensitive information shares. If it's not necessarily or if it's not needed to be there. It shouldn't be there, I think, as an example, have definitely seen where if you compromise a user, and you can see, you know, lists of websites that user can access, and then passwords and usernames available right next to the link. I mean, I've not only compromised your company, and a user have also compromised every company that company uses and works for you. It shouldn't be that information should not be in the shares for any reason. It should and if it is encrypt, if you've got a I mean, I will 100% advise against putting passwords and usernames and notepads. But if you do have to do that, encrypt that put and put the password in a vault, you know, sort of like one password? Yeah, like like one pass and all of them. And I mean, even then it's still really try to go with really sort of complex passwords as for example, the, what was it last pass sort of recently had an issue? Well, I'm pretty sure if your password is all a good sort of strength. There's not that we shouldn't I mean, of course, that shouldn't have happened in the first place, but you shouldn't be as worried as people who have really usable, sorry, easy guessable passwords. So, but yeah, 100% sort of good passwords and avoid dodgy links and patch. management.

‍
You mentioned earlier, Louis about training. And I think all businesses organisation should have training in place for their staff. So they're aware of scams, phishing ransomware as cyber criminals changing their tactics to counter the most robust response by law enforcement.
Oh, constantly. So like we were talking about the first one some I use and floppy disks and and as technology moved on, they use when the bulk encryption in the case of like wanna cry and exploiting the the SMB vulnerability in eternal blue. It's a bit like a cat and mouse game, really. And this isn't just a case of cyber criminals, but also actual criminality, too. It's a case of attackers were found the new and intuitive way to target on spectrum or unfortunate victims, the police or the law enforcement will eventually catch up, it might take them a couple of months, so they might catch on quite quickly. And then effectively, they'll just switch tactics and try something else. So I think a couple miles scheme sort of explanation is probably the best example here.

‍
I think. I mean, technology is constantly changing and developing. I mean, what do you know, we'll have flying cars next next year, and those flying cars will be vulnerable to DoS attacks that will take you on the sky. But as an example, I mean, it's not too far fetched to say that things like that are possible and things like that can also lead to ransomware. And so of course, as this technology develops, so will the attacks. I mean, Tesla, for example, how to it this was ages ago show, but that a vulnerability where you could stop and sort of accelerate somebody's car remotely.
Yeah, but like, I think AI is also an important thing to look out for. I mean, right now, shut up two years, and then use some people are using it to like, perhaps cheat and exams and all of that, then
that's all well and good against that they've actually
come to me so they perhaps in the future would have effectively. Like humans, like humans, AI is to do everything in the future. I think
they are working on that in America. And yeah. It's been great hearing the key information about not only this ransomware group, but other ransomware groups out there. Have you both got any closing comments before we wrap up this podcast?

‍
I think we've summarised sort of everything ever caught up. But yeah, as you've sort of brought up some really good sections about you know, preventing and also just handling it in general. Yeah,
thank you both for coming on another pentest people tech bite, it's always great having you both on Thank you. Thank you. Ransomware groups are difficult to fully wipe out because the members tend to resurface in other groups. But the efforts by the FBI and other law enforcement agencies are designed to hit them on several fronts. Join me next week on another Tech Bite thank you to our tech back listeners for tuning in. Follow our pentest people Spotify page for more.