The US State Department has announced cash rewards of up to $10 million for information on individuals holding key positions in the Hive ransomware operation.
An additional $5 million is also being donated for details that could lead to the arrest and/or conviction of any person “conspiring to participate or attempting to participate in Hive ransomware activity.”
The multimillion-dollar rewards come just over a year after a coordinated law enforcement effort covertly infiltrated and dismantled the darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) gang. A person with suspected links to the group was arrested in Paris in December 2023.
Hive, which emerged in mid-2021, has targeted more than 1,500 victims in over 80 countries, raking in approximately $100 million in illegal revenue. In November 2023, Bitdefender revealed that a new ransomware group called Hunters International had acquired source code and infrastructure from Hive to launch its own efforts.
There is some evidence to suggest that threat actors associated with Hunters International are likely based in Nigeria, specifically an individual called Olowo Kehinde, according to information gathered by security researcher Netenrich Rakesh Krishnanalthough it could also be a fake character adopted by the actors to hide their true origins.
Blockchain analytics firm Chainalysis, in its 2023 review released last week, estimated that ransomware teams raked in $1.1 billion in extorted cryptocurrency payments from victims last year, compared to $567 million in 2022, all but confirming that ransomware has recovered in 2023 after a relative decline. in 2022.
“2023 marks a major return for ransomware, with record payouts and a substantial increase in the scale and complexity of attacks – a significant reversal from the decline seen in 2022,” it said.
The decline in ransomware activity in 2022 was considered a statistical aberration, with the decline attributed to the Russian-Ukrainian war and the Hive outage. Additionally, the total number of victims posted on data leak sites in 2023 was 4,496, compared to 3,048 in 2021 and 2,670 in 2022.
Palo Alto Networks Unit 42, in its analysis of public lists of ransomware gang victims on dark web sites, listed manufacturing as the hardest-hit vertical in 2023, followed by professional and legal services, high tech, retail, construction and legal services. health sectors.
While the law enforcement action prevented a ransom of approximately $130 million from being paid to Hive, the takedown is said to have “likely affected the broader activities of Hive affiliates, potentially decreasing the number of further attacks that could do.” In total, the effort may have avoided at least $210.4 million in payments.
In addition to the escalating regularity, scale and volume of attacks, the past year has also seen a surge in new entrants and offshoots, a sign that the ransomware ecosystem is attracting a steady stream of new players attracted by the prospect of profits high. and lower barriers to entry.
Cyber insurance company Corvus said the number of active ransomware gangs saw a “significant” increase of 34% between the first and fourth quarters of 2023, rising from 35 to 47 due to fracturing and rebranding or other actors who got hold of leaked cryptos. Twenty-five new ransomware groups emerged in 2023.
“The frequency of rebranding, especially among the actors behind the largest and most well-known strains, is an important reminder that the ransomware ecosystem is smaller than the large number of strains might make it seem,” Chainalysis said.
In addition to a notable shift toward big game hunting, which refers to the tactic of targeting very large companies to extort large ransoms, ransom payments are steadily being routed through cross-chain bridges, instant exchangers, and gambling services venture, indicating that electronic crime groups are slowly moving away from centralized exchanges and mixers in search of new avenues for money laundering.
In November 2023, the US Treasury Department imposed sanctions against Sinbad, a virtual currency mixer used by the North Korea-linked Lazarus Group to launder illicit proceeds. Some of the other sanctioned mixers include Blender, Tornado Cash, and ChipMixer.
The big-game hunting pivot is also a consequence of companies’ growing refusal to settle, as the number of victims choosing to pay fell to a new low of 29% in the final quarter of 2023, according to data from Coveware .
“Another factor contributing to the increase in the number of ransomware in 2023 was a major shift in threat actors’ use of vulnerabilities,” Corvus said, highlighting Cl0p’s exploitation of flaws in Fortra GoAnywhere and Progress MOVEit Transfer.
“If malware, such as infostealers, provides a constant flow of new ransomware victims, then a serious vulnerability is like turning on a faucet. With some vulnerabilities, relatively easy access to thousands of victims can materialize seemingly overnight other.”
Cybersecurity firm Recorded Future revealed that the weaponization of security vulnerabilities by ransomware groups falls into two clear categories: vulnerabilities that have been exploited by only one or two groups, and those that have been widely exploited by more threat actors.
“Magniber has focused exclusively on Microsoft vulnerabilities, with half of its unique exploits focused on Windows Smart Screen,” he noted. “Cl0p has a unique and infamous focus on file transfer software from Accellion, SolarWinds, and MOVEit. ALPHV has focused exclusively on data backup software from Veritas and Veeam. REvil has focused exclusively on server software from Oracle, Atlassian and Kaseya.”
The continued adaptation observed among cybercriminal teams is also highlighted by the increase in DarkGate and PikaBot infections following the removal of the QakBot malware network, which was the preferred initial route of entry into target networks for ransomware distribution.
“Ransomware groups like Cl0p have used zero-day exploits against newly discovered critical vulnerabilities, which pose a complex challenge to potential victims,” Unit 42 said.
“While data on ransomware leak sites can provide valuable insights into the threat landscape, this data may not accurately reflect the full impact of a vulnerability. Organizations must not only be vigilant about known vulnerabilities, but also develop strategies to respond quickly and mitigate the impact of zero-day exploits.”