Two individuals have been arrested in Australia and the U.S. in connection with an alleged scheme to develop and distribute a remote access trojan called Hive RAT (previously Firebird).

The U.S. Justice Department (DoJ) said the malware “gave the malware purchasers control over victim computers and enabled them to access victims’ private communications, their login credentials, and other personal information.”

A 24-year-old individual named Edmond Chakhmakhchyan (aka “Corruption”) from Van Nuys in Los Angeles, California, was taken into custody after he was caught selling a license of Hive RAT to an undercover employee of a law enforcement agency.

He has been charged with one count of conspiracy and one count of advertising a device as an interception device, each of which carries a penalty of five years in prison. Chakhmakhchyan pleaded not guilty and was ordered to stand trial on June 4, 2024.

Court documents allege a partnership between the malware’s creator and the defendant under which the latter would post advertisements for the malware on a cybercrime forum called Hack Forums, accept cryptocurrency payments from customers, and offer product support.

Hive RAT comes with capabilities to terminate programs, browse files, record keystrokes, access incoming and outgoing communications, and steal victim passwords and other credentials for bank accounts and cryptocurrency wallets from victims’ machines without their knowledge or consent.

“Chakhmakhchyan exchanged electronic messages with purchasers and explained to one buyer that the malware ‘allowed the Hive RAT user to access another person’s computer without that person knowing about the access,'” the DoJ said.

The Australian Federal Police (AFP), which announced charges of its own against a citizen for their purported involvement in the creation and sale of Hive RAT, said its investigation into the matter began in 2020.

The unnamed suspect faces 12 charges, including one count of producing data with intent to commit a computer offense, one count of controlling data with intent to commit a computer offense, and 10 counts of supplying data with intent to commit a computer offense. The maximum penalty for each of these offenses is three years imprisonment.

“Remote Access Trojans are one of the most harmful cyber threats in the online environment – once installed onto a device, a RAT can provide criminals with full access to, and control of the device,” AFP Acting Commander Cybercrime Sue Evans said.

“This could include anything from committing crimes anonymously, watching victims through camera devices, wiping hard drives, or stealing banking credentials and other sensitive information.”

Nebraska Man Indicted in Cryptojacking Scheme

The development comes as federal prosecutors in the U.S. indicted Charles O. Parks III (aka “CP3O”), 45, for operating a massive illegal cryptojacking operation, defrauding “two well-known providers of cloud computing services” out of more than $3.5 million in computing resources to mine cryptocurrency worth nearly $1 million.

The indictment charges the Parks with wire fraud, money laundering, and engaging in unlawful monetary transactions. He was arrested on April 13, 2024. The wire fraud and money laundering charges carry a maximum sentence of 20 years’ imprisonment. He also faces a 10 years’ imprisonment on the unlawful monetary transactions charges.

While the DoJ does not explicitly state what cloud providers were targeted in the fraudulent operation, it noted that the companies are based in the Washington state cities of Seattle and Redmond – the corporate headquarters for Amazon and Microsoft.

“From in or about January 2021 through August 2021, Parks created and used a variety of names, corporate affiliations and email addresses, including emails with domains from corporate entities he operated […] to register numerous accounts with the cloud providers and to gain access to massive amounts of computing processing power and storage that he did not pay for,” the DoJ said.

The illicitly obtained resources were then used to mine cryptocurrencies such as Ether (ETH), Litecoin (LTC) and Monero (XMR), which were laundered through a network of cryptocurrency exchanges, a non-fungible token (NFT) marketplace, an online payment provider, and traditional bank accounts to conceal digital transaction trail.

The ill-gotten proceeds, prosecutors said, were ultimately converted into dollars, which Parks used to make various extravagant purchases that included a Mercedes Benz luxury car, jewelry, and first-class hotel and travel expenses.

“Parks tricked the providers into approving heightened privileges and benefits, including elevated levels of cloud computing services and deferred billing accommodations, and deflected inquiries from the providers regarding questionable data usage and mounting unpaid subscription balances,” the DoJ said.

The U.S. Department of State has announced monetary rewards of up to $10 million for information about individuals holding key positions within the Hive ransomware operation.

It is also giving away an additional $5 million for specifics that could lead to the arrest and/or conviction of any person “conspiring to participate in or attempting to participate in Hive ransomware activity.”

The multi-million-dollar rewards come a little over a year after a coordinated law enforcement effort covertly infiltrated and dismantled the darknet infrastructure associated with the Hive ransomware-as-a-service (RaaS) gang. One person with suspected ties to the group was arrested in Paris in December 2023.

Hive, which emerged in mid-2021, targeted more than 1,500 victims in over 80 countries, netting about $100 million in illegal revenues. In November 2023, Bitdefender revealed that a new ransomware group called Hunters International had acquired the source code and infrastructure from Hive to kick-start its own efforts.

There is some evidence to suggest that the threat actors associated with Hunters International are likely based in Nigeria, specifically an individual named Olowo Kehinde, per information gathered by Netenrich security researcher Rakesh Krishnan, although it could also be a fake persona adopted by the actors to cover up their true origins.

Blockchain analytics firm Chainalysis, in its 2023 review published last week, estimated that ransomware crews raked in $1.1 billion in extorted cryptocurrency payments from victims last year, compared to $567 million in 2022, all but confirming that ransomware rebounded in 2023 following a relative drop off in 2022.

“2023 marks a major comeback for ransomware, with record-breaking payments and a substantial increase in the scope and complexity of attacks — a significant reversal from the decline observed in 2022,” it said.

The decline in ransomware activity in 2022 has been deemed a statistical aberration, with the downturn attributed to the Russo-Ukrainian war and the disruption of Hive. What’s more, the total number of victims posted on data leak sites in 2023 was 4,496, up from 3,048 in 2021 and 2,670 in 2022.

Palo Alto Networks Unit 42, in its own analysis of ransomware gangs’ public listings of victims on dark web sites, called out manufacturing as the most impacted industry vertical in 2023, followed by profession and legal services, high technology, retail, construction, and healthcare sectors.

While the law enforcement action prevented approximately $130 million in ransom payments to Hive, it’s said that the takedown also “likely affected the broader activities of Hive affiliates, potentially lessening the number of additional attacks they could carry out.” In total, the effort may have averted at least $210.4 million in payments.

Adding to the escalation in the regularity, scope, and volume of attacks, last year also witnessed a surge in new entrants and offshoots, a sign that the ransomware ecosystem is attracting a steady stream of new players who are attracted by the prospect of high profits and lower barriers to entry.

Cyber insurance provider Corvus said the number of active ransomware gangs registered a “significant” 34% increase between Q1 and Q4 2023, growing from 35 to 47 either due to fracturing and rebranding or other actors getting hold of leaked encryptors. Twenty-five new ransomware groups emerged in 2023.

“The frequency of rebranding, especially among actors behind the biggest and most notorious strains, is an important reminder that the ransomware ecosystem is smaller than the large number of strains would make it appear,” Chainalysis said.

Besides a notable shift to big game hunting, which refers to the tactic of targeting very large companies to extract hefty ransoms, ransom payments are being steadily routed through cross-chain bridges, instant exchangers, and gambling services, indicating that e-crime groups are slowly moving away from centralized exchanges and mixers in pursuit of new avenues for money laundering.

In November 2023, the U.S. Treasury Department imposed sanctions against Sinbad, a virtual currency mixer that has been put to use by the North Korea-linked Lazarus Group to launder ill-gotten proceeds. Some of the other sanctioned mixers include Blender, Tornado Cash, and ChipMixer.

The pivot to big game hunting is also a consequence of companies increasingly refusing to settle, as the number of victims who chose to pay dropped to a new low of 29% in the last quarter of 2023, according to data from Coveware.

“Another factor contributing to higher ransomware numbers in 2023 was a major shift in threat actors’ use of vulnerabilities,” Corvus said, highlighting Cl0p’s exploitation of flaws in Fortra GoAnywhere and Progress MOVEit Transfer.

“If malware, like infostealers, provide a steady drip of new ransomware victims, then a major vulnerability is like turning on a faucet. With some vulnerabilities, relatively easy access to thousands of victims can materialize seemingly overnight.”

Cybersecurity company Recorded Future revealed that ransomware groups’ weaponization of security vulnerabilities falls into two clear categories: vulnerabilities that have only been exploited by one or two groups and those that have been widely exploited by multiple threat actors.

“Magniber has uniquely focused on Microsoft vulnerabilities, with half of its unique exploits focusing on Windows Smart Screen,” it noted. “Cl0p has uniquely and infamously focused on file transfer software from Accellion, SolarWinds, and MOVEit. ALPHV has uniquely focused on data backup software from Veritas and Veeam. REvil has uniquely focused on server software from Oracle, Atlassian, and Kaseya.”

The continuous adaptation observed among cybercrime crews is also evidenced in the uptick in DarkGate and PikaBot infections following the takedown of the QakBot malware network, which has been the preferred initial entry pathway into target networks for ransomware deployment.

“Ransomware groups such as Cl0p have used zero-day exploits against newly discovered critical vulnerabilities, which represent a complex challenge for potential victims,” Unit 42 said.

“While ransomware leak site data can provide valuable insight on the threat landscape, this data might not accurately reflect the full impact of a vulnerability. Organizations must not only be vigilant about known vulnerabilities, but they must also develop strategies to quickly respond to and mitigate the impact of zero-day exploits.”