Hive Ransomware Group Leaks Data Stolen in Tata Power Cyber-Attack

The Hive ransomware-as-a-service (RaaS) group has claimed responsibility for the cyber-attack against Tata Power disclosed by the company on October 14 and believed to have occurred on October 3.

“The company has taken steps to retrieve and restore the systems. All critical operational systems are functioning,” the Mumbai-based company said at the time.

According to security researcher Rakesh Krishnan, the leak has reportedly affected several of Tata’s 12 million customers and includes personally identifiable information (PII) like Aadhaar national identity card numbers, tax account numbers, salary information, addresses and phone numbers, among others.

Many have taken Hive leaking the stolen data to mean that any ransomware negotiations failed, but Edward Liebig, global director of cyber-ecosystem at Hexagon, has suggested a different option.

“Let’s face it, even if negotiations are successful, there is still only a 50% chance of recovery of the encrypted assets,” Liebig told Infosecurity in an emailed statement.

“The decision to pay or not to pay is a business call. If the organization is in a very vulnerable position (recovery of assets is not possible), if there is a chance for extremely damaging information to be compromised, or if the potential business impact far outweighs the ransom payment, then the business may decide to pay.”

According to the executive, another aspect to consider in this scenario is the rules of the cyber insurance carrier. 

“Some Cyber Insurers prohibit the payment of a ransom,” Liebig said. “This means that a ransomware Incident Response (IR) playbook must have a very defined and comprehensive declaration and approval process that goes to the top of the executive team.”

More generally, Liebig has said he believes that increasing the chances of defending against ransomware begins with watching the front and back doors.

“Watch for, block, and educate against incoming spam and phishing attempts. Know your assets and endpoints. Know and mitigate the vulnerabilities within your environment that enable the exploitation of those assets,” Liebig explained.

“The best way to defend against ransomware is never to let it take root in your systems. The next best way is to have a bulletproof, trusted recovery strategy to minimize downtime and eliminate the ‘ransom’ debate.”

According to statistics published by Intel 471 and Digital Shadows, Hive was the third-most prevalent ransomware family observed in Q3 2022. 

The ransomware group also upgraded its tools to Rust in July to deliver more sophisticated encryption.