Welcome to Pentest People TechBite your headline today, the FBI has announced that the infamous Hive ransomware group has been brought to justice.

The Hive ransomware follows the Ransomware as a service.

This is a business model which ransomware is sold or rented to buyers known as affiliates.

Hives efforts have been disrupted.

The Justice Department announced that after fighting to put an end to the high rental may group for months, they have finally now disrupted its efforts on today’s podcast.

I have consultants Eimee and Louis we appreciate your time guys.

So what can you both tell us about this Hive ransomware group?

so I think overall, what we can see is that as of June 2021 I’ve have targeted more than 1500 victims and of I think received about 100 million in ransom payments.

And so yeah, I mean it kind of they kind of had a daily operation around affecting sort of a lot of people around the pandemic.

I think Louis got a little bit more on the first attack.

I do, yeah, so they effectively targeted multiple different groups, mainly based in western countries.

The first attack as I mentioned was in 2021 atlas group I believe.

That’s right.

It was basically a commercial real estate.

There was an answer was breached and it was high the effective responsibility as I said during the pandemic as well.

They breached many US Health services as well as Japan.

They’ve also targeted those as well.

Yes, so it does seem like largely a lot of the health systems in the US has been affected.

And but I wouldn’t say that’s the only you know only victims.

They’ve just been a quite Big portion of the ransomware but it is about I don’t know about 20 countries I think at least the first high ransomware attacks according to leaks and but yeah that there’s loads.

I think there’s I mean as an example in August 2021 a health system in Ohio suffered a really big loss and they were they were a nonprofit health system I believe.

And it put their emergency departments on sort of diversion due to its failure.

which obviously I mean anyone but especially health systems that’s just horrible.

And what action did the FBI take against the Hive group?

Yeah, okay so in july 2022 the FBI along with multiple other european organizations, the Germans french Iranians again polish multiple different european countries as well as the FBI combined together to take down the high band somewhere and they effectively compromised their network and captured all the decryption keys which effectively made There are some pointless because the kids could always just be decrypted.

Yeah so I think it’s it’s roughly online, it says about 300 keys were provided to victims that were currently under attack and about approximately 1000 previous victims.

So anyone who either paid or didn’t pay the ransom where to get either the files or not, they were also assisted.

Absolutely said that it was in coordination with a bunch of enforce, you know, different law enforcement’s, such as the german Netherlands.

Yeah, honestly under the Euro group, which effectively combines all of the european police forces, a bit like Interpol, but specifically for the Europeans.

So I guess what one thing to take away is, although it was only recently announced that their services have been stopped, the FBI had actually compromised them earlier, gathering information as such, capturing the decryption keys and sort of quietly helping the victims.

Obviously old ransomware groups are dangerous, but what has made this ransomware groups so dangerous.

So I think you mentioned that at the start, the sort of, that they do ransomware as a service, but they do what’s called a double extortion technique.

So when they go in and compromise the network, they collect the files so they can leak as a sort of a almost like blackmail that they’re gonna leak them online and make them available, but also encrypt them.

So it’s a double extortion, you can’t have your files and if you don’t pay as well to get them unlocked and, you know, give them back to you, we will also make them online available for everybody to see.

So it’s a sort of a well established double extortion technique and it’s, it sort of gives an incentive for victims to pay up because is that not only are they they’ve lost a lot of files and data and potentially, you know, that stopped their services, whatever the company maybe it’s also might be embarrassing, you know?

Well, I mean you can get a lot of fans And things like previously, I guess what would happen in some cases is that somewhere would effectively just target the system and lock it all down, but it wouldn’t essentially anything that just lock it down and ask her handsome.

However if let’s say I had well established backups, you could effectively wipe your system and start again and that would get rid of the land somewhere or at least that would be the hope.

But with this double double extortion technique, even if he did that, there’s still equally information online and then you have the duty to contend with.

So we’ll have downfall other ransomware groups.

I mean, my main sort of take away and as me and louise sort of researching this and looking into it a bit, I guess my my thoughts and it is I would hope so, but it would be a bit too optimistic to say that, but of course we had a few more points to make in that regard.

Well, I think like especially if these sort of groups is that I like to take the idea of trying to kill the hydrate difficulties is if you kill one head effectively two more pop up in its place.

So the group is effectively splinter into those different sort of organizations, especially with cases like this is that a lot of small groups are becoming nation backed, which makes them a lot harder to take down.

And if they have the funding of a particular country then it can be even more difficult.

I think what louis means by nation backed is we can’t say for certain, but there are definitely or what seems like a sort of hackers and groups in Russia that if they were to sort of cause any issues for americans or anyone really it’s very unlikely that they would.

so for any consequences, Russia is not really going to send them out to America, you know, to serve sentences and as louis said, I mean you cut off one head and five more pop back up and I guess for example cutting sort of getting rid of hype service.

They can’t just set up another one when a ransomware group breaks down, there are concerns the low level sharks of the group will disband and start targeting smaller businesses on their own.

Is this something organisations need to look out for?

And having one big group that effectively targets one organization after whatever let’s say that account the US healthcare industry and target if you have like two or three different groups, there’s no, they can just do whatever they want really.

One can target the US let’s say target of the european so maybe people in East asia.

So yeah, effectively I feel like organizations should always be careful with this sort of stuff.

But perhaps more so now.

I mean there’s nothing stopping the people who did this that were with Hive doing it as a new, as a new sort of group or individually possibly it’s just like for like anonymous for example, I mean they’re not obviously know for ransom where they’re more modern as hacktivists or something like that, but that’s just people, there’s no, you know, one group it could be anyone anywhere and nothing stops you from I guess carrying their work.

And what does the future look like for ransomware groups, for example, lock bit and black cat sort of the effective ransom groups changed the times, right.

If we look back at the first ransomware, it was effectively used floppy disks were sent out a different mailing addresses and they plug in these floppy disks and ransom system and then you have like a few years ago for example wanna cry which was downloaded by fishing and then was spread by a worm.

I was using the eternal blue exploit in SMB and now you have even more sophisticated encryptions and for example, the double extortion technique used by Hive, I feel like that they’ll continue to use that sort of technique because it’s tried and tested and it works quite well.

A you have the, if you don’t pay the ransom, you’re not going to get your files back.

And also the internet.

I think you’ve got a really good example are really funny one with the floppy disks.

Imagine turning up somewhere with that for a client.

I don’t think you’re going to get very far with a floppy disk nowadays, but louise completely right.

I think with technology, all these sort of attacks are going to develop.

But I think what does it look like for the future is a really good question.

I think ransomware groups should, you know, keep this in mind because the list, there’s about 14 authorities that I’ve got here that were involved in taking down hive.

I mean if these party in different countries can band together.

You know, to to take down this group that I think anything’s really possible interesting points I’d like to add actually is about loyalty within these groups.

A famous ransomware group called county When Russia Ukrainian war started almost a year ago today, they effectively said we support the Russian invasion of Ukraine.

There were Ukrainians within the county group that were a little bit upset about that.

And they actually leaked all of pretty much all of their data is sort of a response so you can see that perhaps in the future you have split up some perhaps based on national ties or some no, definitely.

I’ve read this somewhere online, I’m not sure, I can’t see who it was for sure.

But there’s some sort of talk about certain ransomware that don’t target.

So post soviet countries or you know like Lithuania used to be in the soviet union, there one of the countries that doesn’t get targeted by certain Russian hackers because they used to be in the soviet union and I’m pretty sure the reason that is is because there might be some lithuanians in the group who refused to target their own country and I mean, yes, so it’s going back to what you said amy about high setting up another group, how soon could they possibly set up another group and how soon for the FBI take them down?

I think it really depends because I can imagine there’s quite a bit of infrastructure in place to sort of set things like that up.

But I mean what’s to say they don’t already have a backup plan, what’s to say they don’t have something similar.

I mean they might not necessarily pop up as hive again, I mean that could be really obvious or there’s a potential that the FBI could already know about that or may have already taken down any backup plans but it could it could be almost instant and we wouldn’t really necessarily know unless the FBI were able to collect that information or it could take ages because I’m pretty sure there was a lot of servers that was seized in different countries and I can’t imagine servers aren’t free.

so yeah, this is quite hard to say it specifically.

And what can people do to me to get the risks of ransomware attacks?

I feel like the main domain where people get it still is by social engineering.

Let’s see if someone’s trying to target an organization.

One of the easiest ways to do is just send them a link to download the link and then it spreads across the organisation.

So social engineering training is probably the most ideal training people not to open dodge email links.

Training people to report, report them of the organization to their Team of course, keeping an updated antivirus software and keeping your systems up to date can always help.

I’ll be that sort of a last resort mitigation but it can potentially stem the flow.

I think I think anything that sort of gives you a foothold on somebody’s network, whether it be a small or a big one.

Like you said, social engineering is just kind of the keys to the kingdom.

If you can get someone to give you information over the phone or over email.

And I mean that’s it really isn’t it, then you’ve got access.

But yeah, as louis said sort of antivirus systems and things like that.

But I’d say patching as well, you see sort of low level hanging fruit that you could take just because something is out of date, it might have a well known online publicly known vulnerability that you can exploit and and get some sort of user or something like that.

And from there nothing stopping you, you know, encrypting all the files and and taking them all.

So, but there’s, there’s a lot and as we’ve discussed in previous podcasts, the sort of, you know, phishing well known emails and, you know, of trying to avoid clicking anything really suspicious.

But yeah, I think that’s quite key things.

I’d say that one of the important point is that in terms of mitigation, assume that the attacks already happened in the worst case now is that we have today backups of everything.

Then even if you do get some wedding, everything, at least you haven’t lost all of your progress to you have a backup systems in place.

And if you can do that externally to, then it means that it’s also likely not going to be, I think one of the best points is that don’t keep personal and sensitive information and shares, if it’s not necessarily if it’s not needed to be there, it shouldn’t be there.

I think as an example of definitely seen where if you compromise a user and you can see, you know, lists of websites that users can access and then passwords and user names available right next to the link.

I mean, I’ve not only compromised your company and a user of also compromised every company that company uses and works for.

You know, it shouldn’t be that information should not be on the shares for any reason.

It and if it is encrypt if you’ve got, I mean I will 100% advise against putting passwords and user names and note pads, but and if you do have to do that encrypt that put and put the password in a vault, you know, sort of like one password.

Yeah, like like one pass and all of them.

And I mean even then I’d still really trying to go with really sort of complex passwords as for example, the what was it last past sort of recently had an issue.

Well, I’m pretty sure if your password is of a good sell Of strength.

There’s not that we shouldn’t, I mean of course that shouldn’t have happened in the first place, but you shouldn’t be as worried as people who are really usable.

It’s very easy guessable passwords.

So but yeah, 100% sort of good passwords and avoid dodgy links and patch management.

Great point.

You mentioned earlier, louis about training, I think all businesses organization should have training in place for their staff so they’re aware of scams, phishing ransomware, our cybercriminals changing their tactics to counter the most robust response for law enforcement constantly.

So like we talked about the first ransomware using proper desks and technology moved on.

They used encryption in the case of acquiring and exploiting the vulnerability, it’s a bit like a cat and mouse game really and this isn’t just a case of cyber criminals but also actual criminality to it’s a case of Attackers were finding new and intuitive way to target on spectrum, more unfortunate victims, the police or the law enforcement will eventually catch up.

It might take them a couple of months so they might catch on quite quickly and then effectively they’ll just switch tactics and try something else.

So I think the game sort of explanation is probably the best example here I think, I mean technology is constantly changing and developing.

I mean what what do we know we have flying cars next next year and those flying cars will be vulnerable to dos attacks that will take you on the sky.

But as an example, I mean it’s not too far fetched to say that things like that are possible and things like that can also lead to ransomware and so of course as this technology develops so will the attacks, I mean Tesla for example had this was ages ago show but that vulnerability where you could stop and sort of accelerate somebody’s car remotely.

Yeah, but like I think AI is also important things for I mean right now chatty PTS and the news and people are using it like perhaps cheating exams and all that and something against that they’ve actually built and I think we will most likely, I think they are working on that in America.

It’s been great hearing the key information about not only this ransomware group, but other ransomware groups out there.

Have you both got any closing comments before we wrap up this podcast?

I think we’ve summarised sort of everything, but yeah, as you’ve sort of brought up some really

Thank you both for coming on another Pentest People tech bite.

It’s always great having you both on.

Thank you.

Thank you.

Ransomware groups are difficult to fully wipe out because the members tend to resurface in other groups.

Both the efforts by the FBI and other law enforcement agencies are designed to hit them on several fronts, join me next week on another tech bite.

Thank you to our tech bite listeners for tuning in.

Follow our Pentest People Spotify page for more.