In the world of cybercrime, Hive had established itself as a service company renting out-of-the-box software and methods to operators seeking to extort their targets.
According to Ariel Ropek, director of cyber threat intelligence at Avertium – a computer security company – the structure allowed even criminals with weak computer skills to get into ransomware.
On the "dark web" (websites not referenced by regular browsers), ransomware service providers openly advertise their products.
"It's really a business model today," Ropek says.
On the one hand are initial access brokers, who specialize in hacking institutional or corporate computer systems and then selling that access to ransomware operators.
"Turnkey"
But these operators often depend on providers like Hive (“Hive”, in English) to create the malware that will allow the ransom demand, and to circumvent security measures.
Once inserted into the computer systems of an institution or a company, these programs will generally freeze the target's data by encryption.
To recover his data, the victim will have to pay.
A developer of ransomware services, such as Hive, offers full service to operators in exchange for a large portion of the ransom, claims Ariel Ropek.
“Their goal is to make the ransomware operation as +turnkey+ as possible,” he says.
Once the ransomware is implanted and activated, the target receives a message explaining how to match and how much to pay to get the data unlocked.
The ransom demand can be from a few thousand to several million dollars, depending on the financial base of the target.
The victim will usually try to negotiate the amount on the Hive portal dedicated to his targets - most often unsuccessfully.
The cybersecurity company Menlo Security published last year the exchanges between a target and the "commercial service" of Hive, on this portal.
When this target repeatedly offered a fraction of the requested $200,000, Hive initially stood firm, insisting that the target could afford such a sum, before eventually reducing the request to $50,000.
Other Operators
If a company refuses to pay, the developers of the system fall back on a plan B: they threaten to publish or sell the confidential data.
Hive maintained a separate website, HiveLeaks, to publish the data.
Other operators have made it their business to collect the money and ensure that all actors get their share of the ransom.
Finally, cryptocurrency "mixers" make it possible to launder the money thus obtained.
The dismantling of Hive announced on Thursday represents only a modest setback for the ransomware services industry: many other specialists similar to Hive continue to operate.
The most important threat is called Lockbit, which has just hit a pediatric hospital and the Royal Mail postal group in quick succession in the United Kingdom.
In November, the US Department of Justice estimated that Lockbit had killed more than 1,000 people and collected tens of millions of dollars in ransoms.
And it won't be complicated for Hive operators to start over, says Ariel Ropek.
"It's a fairly simple process of setting up new servers, generating new encryption keys - usually with new branding," he points out.
© 2023 AFP