Co-Working for the Ransomware Age: How Hive Thrived

Co-Working for the Ransomware Age: How Hive Thrived
Mixing Conti's Leftovers and Small Teams Helped Hive Earn Millions, Researcher Says
Mathew J. Schwartz (euroinfosec) • March 8, 2023
Co-Working for the Ransomware Age: How Hive Thrived
Image: Shutterstock
Business gurus who preach strategic adaptability may have no greater adepts than ransomware hackers, who have demonstrated levels of innovation that - were they not criminal extortionists - would be worthy of a business case study.

See Also: OnDemand | Navigating the Difficulties of Patching OT

Major leaps forward include CryptoLocker deploying crypto-locking malware at scale in 2013, Maze in 2019 pioneering the practice of stealing data and also holding it to ransom via double extortion, and the likes of LockBit in recent years creating automated attack tools - lowering technical barriers to entry for wannabe ransomware attackers.

Add Hive to the list of ransomware groups that have found highly effective new business strategies.

After the January takedown of Hive spearheaded by Dutch, German and U.S. law enforcement agencies, the FBI reported that the group had deployed crypto-locking malware inside 1,500 organizations - how many of these attacks succeeded isn't clear - and received over $100 million in known ransom payments.

The takedown revealed that a previously unseen ransomware business strategy was key to Hive's success: co-working. As epitomized by the likes of WeWork, the term refers to work environments in which individuals from different employers come together, sharing ideas and knowledge.

That is exactly what eventually began happening with Hive, as the very name of the ransomware group now belatedly suggests, says Yelisey Bohuslavskiy, chief research officer at New York-based threat intelligence firm Red Sense.

Early Days: Ransomware-as-a-Service Group
Hive didn't always work in this way. When launched in June 2021, Hive was a ransomware-as-a-service group, working with independent contractors. Operators gave these affiliates access to administrator panels where they could generate strains of Hive's crypto-locking malware. For every victim that paid a ransom, the operators received a cut.

Attackers wielding Hive amassed victims across numerous sectors, including such critical infrastructure sectors as government facilities, communications, critical manufacturing, IT and especially healthcare and public health, the U.S. Cybersecurity and Infrastructure Security Agency reported.

For many ransomware groups, mid-2021 was a time of great upheaval. After missteps by some major groups, including Conti, DarkSide and REvil - aka Sodinokibi - many affiliates began to see working with big, centralized groups as a liability. As a result, many attackers began to diversify who they worked with, and less centralized groups became more common.

One exception was Conti, which differed from most other ransomware operations by maintaining a core staff of about 200 employees rather than mostly working with contractors. The FBI last year said Conti was "the costliest strain of ransomware ever documented," a testament to its success.

Monetizing Conti's Overflow
Bohuslavskiy says Hive by November 2021 appeared to be the first of many groups that entered Conti's orbit, when it received three smaller victims Conti had harvested via the Emotet botnet, which Hive passed to small teams of three or four trusted "pentesters" who worked together to monetize these less high-profile targets.

He says this idea appeared to be spearheaded by the head of Conti's Division 2, who also fostered partnerships with numerous other groups - Emotet, Hello Kitty and Alphv/BlackCat by the fall of 2021 and later LockBit, Ragnar Locker and Avos. Previously, ransomware groups sharing victims with each other was rare, he says.

By December 2021, the strategy of giving Hive low-level cases that the Conti operation didn't have time to pursue appeared to be thriving. "At this point it was not only Hive taking low-tier Conti cases, but also taking Conti's small teams to offer them work," Bohuslavskiy says. "It is not coincidental that on Dec. 14, 2021, very soon after sharing work with Conti, Hive made a major locker update, redesigning its locker and panels." Business was booming.

During this time, "many pentesters began feeling more free and they started to use Hive as a co-working space - just working together," albeit virtually, Bohuslavskiy says. "Small teams from different groups - mostly Conti - were using Hive loaders or ransomware notes, and the Hive admin was managing the panel and negotiations." He says participants included Conti Division 1, formerly known as Ryuk; Division 2, which is now Royal ransomware; and Division 3, which is now BlackBasta; as well as BlackCat, LockBit and FiveHands/HelloKitty.

In May 2022, Conti announced it was shutting down. One likely reason is because after Conti's leadership publicly backed Moscow's invasion of Ukraine and a Ukrainian security researcher responded by leaking voluminous internal chat logs, those communications made clear that Conti had close ties with the Russian government. In response, many victims stopped paying ransoms to Conti.

Behind the scenes, Conti had already launched spinoff groups and begun to offload victims to other partners. "When Conti disbanded officially in May, we were able to see that a big chunk of Hive victims were actually Conti, because on the eve of the disbanding they started to dump huge amounts of previously hit victims onto their blogs," Bohuslavskiy says.

After Conti's demise, at least as a brand name, Hive's co-working model began to pay dividends, he says. "All the folks who were not feeling great about sending Conti's ransom note while executing Conti's locker were able to do this instead via Hive," he says. "This is when the co-working space suddenly became even more useful."

Hive Thrives - Until It Doesn't
Hive's management made some operational security mistakes, as demonstrated by the ability of law enforcement agencies to infiltrate its infrastructure in July 2022.

"We hacked the hackers," Deputy Attorney General Lisa O. Monaco told reporters at a press conference after law enforcement agencies seized Hive's infrastructure on Jan. 25, leaving it dark.

Whether Hive's operation stays down remains an open question. Besides the time and expense required to restore infrastructure, arguably the Hive brand has suffered major damage after being infiltrated by authorities for more than six months. During that time, law enforcement passed free decryptors to all victims it could identify, and took a massive bite out of Hive's earnings, including $130 million in initial ransom demands to victims.

Ransomware remains a serious problem owing to the ongoing volume of existing attacks and the disruption they can cause.

If there's a final lesson from Hive, it's that law enforcement, too, is finding innovative new ways to disrupt ransomware groups and their illicit revenue streams.