Hive is a Ransomware as a Service group that allows others to pay to access their ransomware strains for money. Have has made the use of their platform so simple that its usage has increased significantly. Once a new client has registered with the platform, they can then register their targets and create their own strain of ransomware very quickly. It is remarkably like the deal registration and deployment for many current security tools. The most common method of deployment is spear-phishing, so it is very effective at compromising target groups (despite aggressive security awareness training schedules).
Although each malware package is unique to the client deploying it, the core encryption methods are the same. The researchers found, through their analysis, a vulnerability that allowed them to recover as much as 95% of the keys used in the encryption process. This is a huge win for companies that are being held hostage by this type of Ransomware although it is not the whole story. Hive is among the family of Ransomware that also exfiltrates data as it encrypts it. This means that even if a company can recover data (from backup or through decryption) they will likely face a second ransom demand from the exfiltrated files.
Ransomware is going to continue to be a major threat to organizations and Ransomware as a Service groups are likely to grow in number over the next few years. This is the trend that we are seeing as security and disaster recovery processes and policies are not where they should be. To slow the spread of ransomware attacks, companies need to take steps to ensure that users are properly educated in how to spot and report potentially malicious emails. They also need to spend the time, and money, to ensure that backups are not compromised. Many ransomware strains look to pause or corrupt backups as part of the attack chain so making sure these vital components of disaster recovery are protected is vital.
Modern methods of malware detection and response need to be put in place (behavior and math based) to help stop infections before they can even start encrypting files. Data Loss Prevention applications can also be used to identify and stop rapid file changes as well. Setting up rules in firewalls to detect and stop exfiltration attempts such as looking for certain file types and sizes and sessions connecting to unusual IP addresses or ranges. Finally, users of Microsoft Office products can restrict how office applications handle requests to spawn child processes (such as calling MSHTA or PowerShell), this can limit the use of Macros or VBA code in emails received and many other things to reduce the risk of a ransomware infection in the first place.
