Trends in ransomware-as-a-service and cryptocurrency to monitor

In January, law enforcement officials disrupted the operations of the Hive cybercriminal group, which profited off a ransomware-as-a-service (RaaS) business model. Hive is widely believed to be affiliated with the Conti ransomware group, joining a list of other groups associated with former Conti operators, including Royal, Black Basta, and Quantum.

RaaS affiliates are all over the globe, and so are their victims. These affiliates use a myriad of different tactics and techniques. In this article, I’ll cover what the Hive case tells us about RaaS trends, how it relates to cryptocurrency, and how to defend against similar groups.

Hive’s modus operandi

Hive, like other RaaS providers, wrote a ransomware encryptor, created a dark web domain, advertised their services to affiliates and forums, and then allowed users to purchase a license (for their services) to configure a ransomware payload and receive extortion funds.

RaaS providers typically take a cut of the ill-gotten proceeds – it’s usually a 75/25, 80/20, or 85/15 split (Hive was 80/20).

Hive, and every other ransomware group, still uses cryptocurrency for ransomware payments because it is borderless and almost instant. There are no conversions or bank approvals; it’s an anonymous system of transferring and instantly sending funds around the globe. Cryptocurrency also makes it easy to split the money extorted from victims with other users.

Priced high or low, cryptocurrency is the best and most effective avenue for ransomware operators to elicit funds from victims. The price of cryptocurrency follows the path of Bitcoin (BTC). If BTC goes up, most others go up as well. Conversely, if its price goes down, everything else follows.

To account for its often-volatile value, when attackers breach a victim and demand a ransom, they simply alter the amount of cryptocurrency they ask for based on the current price of the token used. In other words, operators base the ransom on the conversion price, not the token price. For example, if a ransomware group wants to ransom a business for $50,000, they will convert that into the current token price and ask for that much.

While most cryptocurrency is traceable, many ransomware operators perform their misdeeds from countries with governments who tend to look the other way, especially if the attacks don’t target the country they are operating from. For example, many ransomware operators from Eastern Europe and Russia put logic in their malware’s code to geolocate a victim’s machine. The malware will terminate if it is in a country that is part of the Commonwealth of Independent States (CIS), allowing ransomware operators in these countries to deploy ransomware without worrying as much about being arrested (Hive is an example of this). But to try and protect themselves from being traced, attackers still use mixers and privacy coins to mask their tracks.

The Hive case is unique in that a global, joint operation of federal authorities from several countries worked together to take down the infrastructure of a ransomware group. This was primarily possible because the Hive group’s infrastructure (servers) was in the United States, at least partially.

The operation – and other recent takedowns of ransomware groups like REvil and DarkSide, not to mention various affiliates that use other ransomware – demonstrates how governments are becoming more offensive in stopping these threat actors. Law enforcement and cybersecurity agencies have realized that a purely defensive strategy isn’t the best approach to tackling this issue.

The Hive group’s affiliates attacked organizations all over the globe. A map of the affected countries provided by the United States Department of Justice (USDOJ) showed that, unsurprisingly, very few CIS countries were affected. In contrast, the group had victims in almost every other part of the globe.

Additionally, these attacks used various methodologies to breach organizations. That’s because different affiliates have different tactics, even within the same ransomware group. Every RaaS group will have multiple tactics and techniques they can implement in various ways. That complicates the challenge of defending against them.

Set up defense-in-depth

For security professionals, it means a good defensive posture should be holistic and include defense-in-depth mechanisms.

For example, Hive affiliates have been known to breach organizations using Remote Desktop Protocol (RDP) without multi-factor authentication (MFA), stolen credentials, phishing campaigns, and software vulnerabilities. There isn’t a single solution to effectively tackle these issues; you’d need multiple solutions working synergistically together to thwart attacks.

You would need to implement a policy to ensure MFA is on any authentication to your network (a zero-trust network, ideally), multi-factor license(s) if you don’t have them, email security and phishing training solutions, and a patch management system with comprehensive asset management behind it. That is to solve the known techniques from one RaaS group.

Let’s take another group, for example: Cl0p. They are known for breaching software companies and then breaching other companies that use their software – a supply chain attack with ransomware and/or data exfiltration. To protect yourself from this kind of attack, your defensive posture should be comprehensive and have a series of checks and balances. If one solution fails, ideally, you’d want another to catch the misses or false positives. Of course, I’m talking about an ideal solution.

Since most companies can’t just throw a bunch of money at solutions, I’d recommend tackling phishing and email security (with training) unless there is a glaring problem in your security elsewhere. Almost all threat actors disseminate malware via phishing emails and targeting – in fact this is where most breaches start according to the 2023 Verizon Data Breach Investigations Report.