Hive ransomware: modern, efficient business model / Photo: NICOLAS ASFOURI - AFP/File
-
After 100 days in office, Trump voters still back US president
-
US anti-disinformation guardrails fall in Trump's first 100 days
-
Dick Barnett, two-time NBA champ with Knicks, dies at 88
-
PSG hope to have Dembele firing for Arsenal Champions League showdown
-
Arteta faces Champions League showdown with mentor Luis Enrique
-
Niemann wins LIV Mexico City to secure US Open berth
-
Slot plots more Liverpool glory after Premier League triumph
-
Novak and Griffin win PGA pairs event for first tour titles
-
Inter Miami unbeaten MLS run ends after Dallas comeback
-
T'Wolves rally late to beat Lakers, Knicks edge Pistons amid controversy
-
Japan's Saigo wins playoff for LPGA Chevron title and first major win
-
Trump tells Putin to 'stop shooting' and make a deal
-
US says it struck 800 targets in Yemen, killed 100s of Huthis since March 15
-
Conflicts spur 'unprecedented' rise in military spending
-
Gouiri hat-trick guides Marseille back to second in Ligue 1
-
Racing 92 thump Stade Francais to push rivals closer to relegation
-
Inter downed by Roma, McTominay fires Napoli to top of Serie A
-
Usyk's unification bout against Dubois confirmed for July 19
-
Knicks edge Pistons for 3-1 NBA playoff series lead
-
Slot praises Klopp after Liverpool seal Premier League title
-
FA Cup glory won't salvage Man City's troubled season: Guardiola
-
Bumrah, Krunal Pandya star as Mumbai and Bengaluru win in IPL
-
Amorim says 'everything can change' as Liverpool equal Man Utd title record
-
Iran's Khamenei orders probe into port blast that killed 40
-
Salah revels in Liverpool's 'way better' title party
-
Arsenal stun Lyon to reach Women's Champions League final
-
Slot 'incredibly proud' as Liverpool celebrate record-equalling title
-
Israel strikes south Beirut, prompting Lebanese appeal to ceasefire guarantors
-
Smart Slot reaps rewards of quiet revolution at Liverpool
-
Krunal Pandya leads Bengaluru to top of IPL table
-
Can Trump-Zelensky Vatican talks bring Ukraine peace?
-
Van Dijk hails Liverpool's 'special' title triumph
-
Five games that won Liverpool the Premier League
-
'Sinners' tops N.America box office for second week
-
Imperious Liverpool smash Tottenham to win Premier League title
-
Man City sink Forest to reach third successive FA Cup final
-
Toll from Iran port blast hits 40 as fire blazes
-
Canada car attack suspect had mental health issues, 11 dead
-
Crowds flock to tomb of Pope Francis, as eyes turn to conclave
-
Inter downed by Roma, AC Milan bounce back with victory in Venice
-
Religious hate has no place in France, says Macron after Muslim killed in mosque
-
Last day of Canada election campaign jolted by Vancouver attack
-
Barcelona crush Chelsea to reach women's Champions League final
-
Nine killed as driver plows into Filipino festival in Canada
-
Germany marks liberation of Bergen-Belsen Nazi camp
-
Hojlund strikes at the death to rescue Man Utd in Bournemouth draw
-
Zelensky says Ukraine not kicked out of Russia's Kursk
-
Zverev, Sabalenka battle through in Madrid Open, Rublev defence over
-
Ruthless Pogacar wins Liege-Bastogne-Liege for third time
-
Bumrah claims 4-22 as Mumbai register five straight IPL wins
NYSE - LSE
Hive ransomware: modern, efficient business model
The US Justice Department's shutdown Thursday of the Hive ransomware operation -- which extorted some $100 million from more than 1,5000 victims worldwide -- highlights how hacking has become an ultra-efficient, specialized industry that can allow anyone to become a cyber-shakedown artist.
- Modern business model -
Hive operated in what cybersecurity experts call a "ransomware as a service" style, or RaaS -- a business that leases it software and methods to others to use in extorting a target.
The model is central to the larger ransomware ecosystem, in which actors specialize in one skill or function to maximize efficiency.
According to Ariel Ropek, director of cyber threat intelligence at cybersecurity firm Avertium, this structure makes it possible for criminals with minimal computer fluency to get into the ransomware game by paying others for their expertise.
"There are quite a few of them," Ropek said of RaaS operations.
"It is really a business model nowadays," he said.
- How it works -
On the so-called dark web, providers of ransomware services and support pitch their products openly.
At one end are the initial access brokers, who specialize in breaking into corporate or institutional computer systems.
They then sell that access to the hacker, or ransomware operator.
But the operator depends on RaaS developers like Hive, which have the programming skills to create the malware needed to carry out the operation and avoid counter-security measures.
Typically, their programs -- once inserted by the ransomware operator into the target's IT systems -- are manipulated to freeze, via encryption, the target's files and data.
The programs also extract the data back to the ransomware operator.
RaaS developers like Hive offer a full service to the operators, for a large share of the ransom paid out, said Ropek.
"Their goal is to make the ransomware operation as turnkey as possible," he said.
- Polite but firm -
When the ransomware is planted and activated, the target receives a message telling them how to correspond and how much to pay to get their data unencrypted.
That ransom can run from thousands to millions of dollars, usually depending on the financial strength of the target.
Inevitably the target tries to negotiate on the portal. They often don't get very far.
Menlo Security, a cybersecurity firm, last year published the conversation between a target and Hive's "Sales Department" that took place on Hive's special portal for victims.
In it, the Hive operator courteously and professionally offered to prove the decryption would work with a test file.
But when the target repeatedly offered a fraction of the $200,000 demanded, Hive was firm, insisting the target could afford the total amount.
Eventually, the Hive agent gave in and offered a significant reduction -- but drew the line there.
"The price is $50,000. It's final. What else to say?" the Hive agent wrote.
If a target organization refuses to pay, the RaaS developers hold a backup position: they threaten to release the hacked confidential files online or sell them.
Hive maintained a separate website, HiveLeaks, to publish the data.
On the back end of the deal, according to Ropek, there are specialist operations to collect the money, making sure those taking part get their shares of the ransom.
Others, known as cryptocurrency tumblers, help launder the ransom for the hacker to use above-ground.
- Modest blow -
Thursday's action against Hive was only a modest blow against the RaaS industry.
There are numerous other ransomware specialists similar to Hive still operating.
The biggest current threat is LockBit, which attacked Britain's Royal Mail in early January and a Canadian children's hospital in December.
In November, the Justice Department said LockBit had reaped tens of millions of dollars in ransoms from 1,000 victims.
And it isn't hard for Hive's operators to just start again.
"It's a relatively simple process of setting up new servers, generating new encryption keys. Usually there's some kind of rebrand," said Ropek.
L.Mason--AMWN