By Rabindra Dev Bhatta, Security Research

Contents

TL;DR

A comparatively new ransomware, Hive is around one-and-a-half years old in the wild, but it is already among the top ransomware threats in the industry. Threat actors have been using Hive to target a variety of companies and critical infrastructure sectors, particularly healthcare, government facilities, communications, critical manufacturing, and information technology.

According to the Joint Cybersecurity Advisory published by the FBI, CISA, and HHS as part of their #StopRansomware effort, as of November 2022, the Hive ransomware threat actors have targeted more than 1,300 businesses globally and have bagged almost US$100 million in ransom. Compared to other ransomware actors, the Hive syndicate functions in quite an organized manner with multiple portals and work distribution. Hive provides RaaS through its three primary API-based portals – affiliate, victims, and data leak site.

** Get research and analysis, insight, plus hints and tips, on how to detect, manage, and respond to Hive ransomware in the main blog.

Head to the contents and click each section for quick navigation.

A comparatively new ransomware, Hive is around one-and-a-half-years-old in the wild, but it is already among the top ransomware threats in the industry. Threat actors have been using Hive ransomware to target a variety of companies and critical infrastructure sectors, particularly healthcare, government facilities, communications, critical manufacturing, and information technology.

According to the Joint Cybersecurity Advisory published by the FBI, CISA, and HHS as part of their #StopRansomware effort, as of November 2022, the Hive ransomware threat actors have targeted more than 1,300 businesses globally and have bagged almost US$100 million in ransom.

Source: https://darkfeed.io/ 

Similar to BlackCat and LockBit, the Hive syndicate is a Ransomware-as-a-Service (RaaS) provider, that was first reported in June 2021 against a Canadian IT company. Hive made headlines in August 2021 for interrupting the clinical and financial activities of three hospitals in Ohio and West Virginia as a result of Hive’s ransomware assaults. On the ground level, this forced the emergency rooms to divert traffic, and cancel radiological tests and urgent surgery cases; while causing the FBI to issue alerts detailing the indications of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by Hive ransomware.

Compared to other ransomware actors, the Hive syndicate functions in quite an organized manner with multiple portals and work distribution. While the developers build, maintain, and upgrade the Hive infrastructures – malware variants, data leak website the “HiveLeaks” and the negotiation site; the affiliates are responsible to locate victims, infect them, steal their files, and spread Hive ransomware over the networks of victims. Hive provides RaaS through its three primary API-based portals – affiliate, victims, and data leak site.

We at Logpoint deployed multiple variations of the ransomware and have attempted to create a comprehensive detection and understanding of it in the following section.

Hive fast facts

  • First reported in June 2021 and has amassed almost $100 million in ransom from 1,300 global businesses.

  • Affiliates discovered to have used spam campaigns, leaked credentials, and vulnerable servers for initial access.

  • Targets healthcare, government facilities, communications, critical manufacturing, and information technology.

  • Known for strict negotiations and double or sometimes triple extortion methods for extorting the ransom.

  • Known to re-infect victim organizations that restore infrastructure without making a ransom payment.

  • Has multiple ransomware variants affecting Windows, Linux, FreeBSD, and VMware ESXi with the latest iteration written in Rust Programming Language, while the older ones developed in Go.

Technical analysis of Hive

For our research, the Hive ransomware variants in consideration were abstracted from vx-underground while samples from tria.ge sandbox were also referenced. The results are summarized below.

Intrusion

The common method of initial access, phishing with malicious attachments [T1566], and leaked/compromised credentials [T1078], remains a prominent approach for the Hive ransomware threat actors. Further, Hive actors have also been found to exploit vulnerabilities in public-facing applications [T1190]:

Therefore, it can be stated that the method for initial access into the target system depends on the affiliates’ capabilities.

Execution and persistence

Right after the Hive actors find their way into the target system, they attempt to establish persistence by executing obfuscated Powershell script [T1059] that is a part of the Cobalt Strike beaconing technique for command and control and lateral movement in the target network.

Following that, they begin executing multiple Powershell commands to stop/disable important security services and processes like SamSs, SDRSVC, SstpSvc, vmicvss, VSS, wbengine, WebClient, and UnistoreSvc_196e4 using system executables – “net.exe”/”net1.exe” and “sc.exe” that might otherwise hinder its attack chain.

Defense evasion

The malware notoriously inhibits detection by modifying registry entries [T1112] and scheduling tasks through “reg.exe” and “schtask.exe” respectively, to disable/stop security monitoring services and Windows Defender Real-Time Protection.

Hive makes use of “MpCmdRun.exe” to delete anti-virus definitions and disable the protection status [T1562].

Further, Hive also removes its activity traces by clearing out system, security, and application logs [T1070] by exploiting the “wevtutil.exe“ binary.

Actions on objectives

Once the detections have been disabled, Hive quietly exfiltrates data archived through tools like “7-Zip” and “Rclone” to anonymous file sharing/cloud storage service [T1537] providers like “Mega“, “Anonfiles“, “Ufile“ and “Privatelab“, and then proceed to delete the shadow copies, using “vssadmin.exe” and “wmic.exe“ behind the user visibility zone to prevent any suspicion. Further, it also deletes the system state backups using “wbadmin.exe“ to make the system irrecoverable.

To leave no stone unturned, the malware performs one last thing before encrypting it all, that is, it modifies the boot configuration data of the system using “bcdedit.exe“ to restrict the system administrator’s access to the Windows Recovery Environment’s System Image Recovery capability and therefore inhibit system recovery [T1490].

The malware finally enacts its actual agenda – it executes the ransomware and encrypts all the files of the system [T1486]. The newer variants of the ransomware use Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher) for the encryption. The ransomware iterates the action in all the systems it has access to.

Once the entire disk files have been encrypted, a message pops up in a “HOW_TO_DECRYPT.txt” notepad file, notifying the users about the incident that happened in their system, URL link, and credentials to log in to the hive’s .onion/ portal for negotiations with the “Sales Department”, and guidelines as a warning.

Hunting Hive with Logpoint

Let’s begin our hunt all the way from the start of the incident. A very common method among both threat actors and defenders, spearphishing is still the most adopted technique to exploit the human element and infiltrate the target system. Therefore, we can be on the lookout for suspicious processes spawned by Microsoft Office utilities:

Copy to Clipboard

We have also observed Hive exploiting the Microsoft Exchange server’s ProxyShell vulnerability. Therefore, suspicious activities can be monitored through, “Exchange ProxyShell Pattern Detected

Copy to Clipboard

and “Successful Exchange ProxyShell Attack

Copy to Clipboard

Next, another widely used hacking tool is the Cobalt Strike beaconing. This is used for execution and maintaining persistence in the system. At Logpoint, we have been continuously offering our customers detection and understanding of various hacking tools, techniques, and methods that are prominently used by threat actors for different purposes in most of their attack campaigns. As such, detection for tools like Cobalt Strike and Mimikatz, also leveraged by the Hive actors, have been published and reviewed time and again.

To take it a step further, it has also been found that Hive actors execute base64 encoded commands to bypass detection during the beaconing phase. Detection of commands executed for encoded keywords can be of huge interest to us and therefore can be viewed through “Malicious Base64 Encoded PowerShell Keywords in Command Lines Detected

Copy to Clipboard

Hive actors then proceed with terminating/disabling multiple processes and system services. We can look into those with the desired level of consolidated visibility through “High Number of Service Stop or Task Kill in Short Span

Copy to Clipboard

Here, we have considered the occurrence of the event – process stop or service disable, to be greater than ten times. You can modify it based on your environment and requirements.

In an attempt to evade native defenses and maintain stealth for its future activities, Hive begins to modify the registry values of Microsoft Windows Defender with “reg.exe“, which could otherwise possibly detect its activities and trigger alerts. Hence, making the detection of such nasty acts our top priority with “Windows Defender Antivirus Disabled via Registry Modification”.

Copy to Clipboard

Windows Security Health Disabled via Registry Modification

Copy to Clipboard

Hive exploits the Malware Protection Command Line Utility – “MpCmdRun.exe“, to remove any or all antivirus signature definitions present in the system. The detection can be achieved with “Microsoft Defender Antivirus Definitions Removal Detected

Copy to Clipboard

Microsoft Defender Disabling Attempt via PowerShell

Copy to Clipboard

To leave no traces of its activities, Hive also clears all the system, security, and application logs mostly using the “wevtutil.exe“ system binary which can be detected by “Suspicious Eventlog Clear or Configuration Using Wevtutil Detected

Copy to Clipboard

Once the actors are sure of having no obstruction, they begin exfiltrating important organizational data. We found the hive actors to use “7z.exe“ to exfiltrate compressed or encrypted data to cloud storage services like Mega, Anonfiles, and more. This can be easily detected.

Copy to Clipboard

Along with exfiltrating data, they begin to delete/destroy shadow copies and system state backups leaving the organization with no back-ups or recovery points, “Shadow Copy Deletion Using OS Utilities Detected

Copy to Clipboard

Further, threat actors make sure to deactivate and completely turn off the system administrators’ access to Windows Recovery Environment abusing “bcdedit.exe“ to modify the boot policy, which can be detected as, “Possible Modification of Boot Configuration

Copy to Clipboard

The final act of the show – ransomware – begins its encryption after all this and drops a message through a notepad text file. Early detection is important.

MITRE tactics and techniques

TTPs of Hive ransomware

Investigation and response with Logpoint

Logpoint SOAR can be the weapon in your arsenal to respond against a Hive ransomware attack and disrupt its cyber-kill chain.

1. Phishing investigation and response

Ensuring that all suspected phishing occurrences are properly investigated and responded to, the playbook drastically cuts down on response times and human error.

2. Ransomware investigation

This playbook extensively evaluates the IoCs and detonates the suspect files leveraging a sandbox environment. Additionally, it searches for typical TTPs that ransomware employs, increasing the likelihood that ransomware will be found before it is too late. If ransomware is detected, the playbook will alert administrators and begin upfront tasks to isolate the host and contain the threat.

3. Isolate endpoint

Before the infection spreads to other machines, this playbook discovers and isolates the infected host using the brand-new Logpoint AgentX.

Logpoint AgentX is a lightweight application that transports logs and telemetry from endpoints (all servers, workstations, and applications) to the SIEM, and performs automated real-time investigation and remediation of threats with SOAR. With AgentX, security analysts get precise detection of malicious malware and the ability to respond to threats in endpoints.

Logpoint AgentX is available now: Contact your representative.

4. Block indicators

This playbook checks if any IP, domain, URL, or host exists in a list of IoCs, blocks them, and adds them to the blocked list.

Remediation and mitigation best practices

  • Regularly scan and assess organizational assets for vulnerabilities and misconfigurations to patch them, and maintain updated Operating Systems, firmware, and applications.

  • Strongly enforce MFA and phishing protection for both user and administrative accounts. Adopt the practice of least privilege and time-based access, where possible.

  • Conduct simulated attack scenarios to make sure that the employees are well aware of phishing and other risks, and also to make sure that they report the incident to the internal cybersecurity team.

  • Extensively implement network segmentation to prevent the spread and limit the impact.

  • Deploy Logpoint AgentX or other endpoint protection platforms (EPPs) to secure endpoint devices and ensure they are up-to-date, properly configured, and trigger alerts when disabled.

  • Develop the practice of regularly creating and maintaining offline encrypted backups that encompass the entire organizational data infrastructure, and assure their availability through periodic restoration attempts.

  • Regualrly review the security posture of third-party vendors interconnected with the organization.

  • Actively be on the lookout for leaked credentials on malware data leak sites, and make changes accordingly.

  • Continuously monitor critical organizational assets with a combination of tools such as Sysmon and the Logpoint Converged SIEM platform.

Final thoughts

Despite being new in the industry, Hive ransomware has an alluring rate of successful attacks, amassing additional affiliates to the gang. Therefore, a proactive detection approach is of utmost priority for security analysts of any organization wishing to stay away from harm’s way.

With the Logpoint Converged SIEM platform combining SIEM, SOAR and endpoint response, analysts can investigate Hive and initiate a proper response. With the resources in this report, we hope to enable our readers with the capabilities to actively hunt Hive ransomware and disrupt it’s chain of attack.

** We can help you! For help with the suggested playbooks – design, development, and implementation – contact Global services here.

Contact Logpoint

Contact us and learn why
industry-leading companies
choose Logpoint:

Contact Logpoint