In June 2021, the affiliate-based ransomware known as “Hive” was first identified. Cybercriminals use this malware to target a variety of global industries, including healthcare, nonprofits, retail, and energy providers. Affiliates are free to use the Hive ransomware however they see fit thanks to this Ransomware-as-a-Service service.
To infiltrate sensitive data, encrypt business files, and compromise victims’ devices, the Hive ransomware operator employs standard ransomware tactics, techniques, and procedures.
The Varonis Forensics Team looked into a ransomware incident during a recent customer engagement. The malicious threat group Hive managed to compromise and encrypt numerous devices and file servers.
Hive is an affiliate-based ransomware variant that was first discovered in June 2021. Cybercriminals use it to launch ransomware attacks against a variety of global targets, including energy providers, nonprofits, retailers, and healthcare facilities. Affiliates can use Hive however they see fit because it is designed to be distributed via a Ransomware-as-a-service model.
The variant compromises victims’ devices using standard ransomware tactics, techniques, and procedures (TTPs). The operator disables anti-malware protections while executing live actions, exfiltrating sensitive data, and encrypting business files. Their affiliates compromise victims’ networks using a variety of methods, such as phishing emails with malicious attachments, compromised VPN credentials, and taking advantage of vulnerabilities on external-facing assets. Additionally, Hive posted a ransom note in plain text, threatening to publish the victim’s data on the TOR website ‘HiveLeaks’ unless the victim complies with the attacker’s demands.
Approximately US$100 million in ransom payments had been made by Hive ransomware actors to over 1,300 companies worldwide as of November 2022, according to FBI data. The malware known as Hive is produced, updated, and maintained by developers, while affiliates carry out the ransomware attacks. This approach is known as ransomware-as-a-service or RaaS. Threat actors have been using the Hive ransomware to target a variety of businesses and critical infrastructure sectors, particularly healthcare and public health (HPH), government facilities, communications, critical manufacturing, and information technology, from June 2021 through at least November 2022.
Depending on which affiliate targets the network, a different method of initial intrusion may occur. Through the use of virtual private networks (VPNs), Remote Desktop Protocol (RDP), and other remote network connection protocols, hive actors have first acquired access to victim networks through single-factor logins. Common Vulnerabilities and Exposures (CVE) CVE-2020-12812 have occasionally been exploited by hive actors to get around multifactor authentication (MFA) and access FortiOS servers. By changing the username’s case, a malevolent cyber actor can take advantage of this vulnerability and log in without asking for the user’s second authentication factor (FortiToken).
By disseminating phishing emails with malicious attachments] and taking advantage of the following vulnerabilities against Microsoft Exchange servers, hive actors have also obtained initial access to victim networks.
Their affiliates breach their victims’ networks in addition to sending out phishing emails with malicious attachments, leaking VPN credentials, and taking advantage of holes in external assets. A plain-text ransom note from Hive also threatens to publish the victim’s data on the TOR website “HiveLeaks” if the attacker’s demands are not met.
It is believed that Russia is the country behind the Hive ransomware group. Around May 2022, as the Conti group shut down its attack infrastructure, some of its affiliates are said to have moved to Hive.
The conviction comes from the fact that Hive and Conti simultaneously disclosed information about the same victims on both of their leak sites—the attack on the government infrastructure of Costa Rica, for example.
Contents
How Does Hive Ransomware Work?
The FBI claims that a range of TTPs are employed by the Hive ransomware group in their attacks. Regular use of phishing techniques to obtain first access is noted by Verizon as accounting for 82% of all breaches. They then cross the network horizontally by infecting vital systems with various malware-filled attachments and using Remote Desktop Control.
GoLang was used to develop the initial iterations of Hive variants. They may have resorted to using Rust, more especially version 5, to produce new iterations of their malware when the public decryptor was made available in mid-2022.
The malware known as Hive encrypts important files and then spreads two malicious scripts (hive.bat and shadow.bat) to be cleaned up. The group then made a threat to release the encrypted data on HiveLeaks, the dark web.
Actors using the Hive ransomware compromise victim networks in order to encrypt files online and leak data. The actors also leave a ransom note with instructions on how to obtain decryption software in each compromised directory on the victim’s computer.
Spear-phishing emails with attachments are used by Hive to gain access to the victim’s network. Once it has the victim’s login credentials, it uses Remote Desktop Protocol (RDP) to spread laterally throughout the network.
In order to prevent anti-malware, Hive stops backups, restores, anti-virus, anti-spyware, and file copies. Files encrypted by Hive and saved with the. hive extension generates batch files called hive.bat and shadow.bat that include instructions to remove
Batch files, snapshots, disc backup copies, and the executable for Hive. This is how the malware reduces the amount of forensic evidence that is available.
Finally, each impacted directory receives a ransom note from Hive. The notice clarifies that without the master key in the actors’ possession, encrypted files cannot be decrypted.
In order to help the victim pay the ransom, the note also includes login information for the HiveLeaks TOR website. It implies that HiveLeaks will receive private information.
Which industries and nations does Hive target?
Victims can share countdowns on Hive’s TOR leak site. But the victims listed on this website are only those who disobeyed and refused to pay the requested ransom. By the way, research done at the end of 2021 indicates that Hive targets three organizations daily on average.
According to the study, only 55 out of the 355 organizations that Hive compromised shared information on their TOR leak site.
Attacks using the Hive Ransomware from its TOR leak site have impacted almost 30 countries. The United States is one of the top targets when we closely examine the targeted nations. Nearly half of all Hive Ransomware attacks occur in the United States, with 93 attacks.
Tips for Guarding Against a Hive Ransomware Attack
- Avail the most recent patches for Exchange Server.
- Make sure everyone uses strong passwords, think about changing them on a regular basis, and use MFA when you can.
- Implement the “least privilege” access model to guarantee that users are given the minimal amount of access necessary to carry out their roles. Removing local admin rights for domain accounts falls under this category.
- Make sure all dormant user accounts are recognized and handled appropriately.
- To stop pass-the-hash attacks, disable SMBv1 usage and employ SMB signing.
- Keep an eye on who has access to important assets and privileged accounts.
- Instruct staff members on data security best practices so they can be watchful in spotting and reporting questionable emails.
- Employ real-time auditing software that is able to recognize and react to events automatically when they meet a threshold condition that has been pre-defined. For example, when a certain number of files are encrypted or copied in a specific amount of time. A custom script that can disable accounts, halt particular processes, alter firewall settings, shut down the compromised device or server, and more will be run if the threshold condition is satisfied.
Conclusion
Hive ransomware has now been discovered and removed. At least for now. But remember that it can choose whom to target without any restrictions. Big manufacturing companies or tiny medical facilities are all targets for their attacks. That being said, enterprises of all sizes ought to be aware of the existence of Hive Ransomware and take the necessary security measures.