Hive operations are more prolific than their leak site might suggest. HiveLeaks only publishes the list of victims that have not settled the ransom, so it is tough to determine which — or how many — companies decided to pay the ransom. A report indicates that attack attempts by Hive affiliates hit an average of three companies per day since the group was first discovered in June 2021. The report also mentioned that security researchers who got access to information directly from the administrator panel of the Hive Tor site discovered that the number of enterprises whose systems had been compromised have reached 355 from September to December 2021.
Intelligence gathered by the researchers further revealed that the founders of the group deliberately put systems in place to achieve as much ease and transparency as possible particularly in the process of ransomware deployment and negotiations. Researchers also learned that the generation of malware versions by affiliates can be done within 15 minutes, while negotiations are coursed through the Hive ransomware administrators who relay the message to the victims in a chat window that the affiliates can see.
Researchers also shared that affiliates can see on the Hive administrator panel how much money was collected, the list of companies that paid, and those whose information was leaked.
The group’s emphasis on operational efficiency and transparency is key to enticing new affiliates. It suggests that the group is aiming for sustainability by creating an environment that is conducive to building a bigger and stronger affiliate base.
Of note is that some enterprises complained about the decryption tool that Hive operators provided after settling the ransom. Reports said it lacked proper functionality and claimed that the Master Boot Records of their virtual machines were corrupted, rendering them incapable of booting.
Hive operators breach systems through phishing emails with malicious attachments. We also observed Microsoft Exchange as a possible entry point for Hive ransomware based on our detection of the same post-exploitation scripts that can be found in the technique used to exploit ProxyShell-related vulnerabilities. These vulnerabilities were identified as CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523.
Hive operators attempt to run the persistence technique for a Cobalt Strike beacon that can be used as a C&C method to accomplish lateral movement once they intrude into the system. Right after the attempt, Hive operators start to unload or uninstall antivirus (AV) products in the system so they can proceed to the download and execution of hacking tools such as PCHunter, GMER, and TrojanSpy.DATASPY. They use these tools to unload other AV products as a tactic to evade detection. We also observed the presence of WMI used to deploy uninstallation scripts and ransomware across the networks for lateral movement.
We observed the presence of PCHunter and GMER as their tools to discover and terminate services or processes to disable AV software. We also detected the use of TrojanSpy.DATASPY to gather information in the system such as machines in the network and the presence of specific AV products. In another attack, the threat actors deployed KillAV to terminate several AV products, also to avoid detection.
Our detections showed that the Hive operators use 7-Zip tool to archive stolen data for exfiltration. Moreover, the gang abuses anonymous file-sharing services such as MEGASync, AnonFiles, SendSpace, and uFile to exfiltrate data.
The ransomware payload proceeds with the encryption routine upon execution. The ransomware generates a random key that is used to encrypt based on RTLGenRandom API, which will be initially saved on the device’s memory. The key is then used in what appears to be a custom implementation of the encryption process.
The key also encrypts through RSA via GoLang’s implementation of RSA encryption. It accomplishes the RSA encryption through a list of public keys embedded in the binary. It is then saved as
The generated key will then be wiped from memory, leaving the encryption key as the only copy of the key for decryption.
|Initial Access||Execution||Persistence||Defense Evasion||Discovery||Lateral Movement||Collection||Command and Control||Exfiltration||Impact|
T1566.001 - Phishing: Spear-phishing attachment
T1190 - Exploit public-facing application
T1078 - Valid accounts
T1106 - Native API
T1059.003 - Command and scripting interpreter: Windows Command Shell
T1059.001 - Command and scripting interpreter: PowerShell
T1053.005 - Scheduled Task/Job: Scheduled TaskRegisters and executes malicious tasks
T1204 - User execution
T1047 - Windows Management Instrument
T1053.005 - Boot or logon autostart execution
T1068 - Exploitation for Privilege Escalation
T1562.001 - Impair Defenses: Disable or Modify Tools
T1083 - File and directory discovery
T1018 - Remote system discovery
T1057 - Process discovery
T1063 - Security software discovery
T1049 - System Network Connections Discovery
T1135 - Network Share Discovery
T1570 - Lateral tool transfer
T1021.002 - Remote services: SMB/Windows admin shares
T1021.006 - Remote Services: Windows Remote Management Uses WMI to execute and deploy uninstallation scripts and the ransomware payload.
T1005 - Data from local system
T1560.001 - Archive Collected Data: Archive via Utility
T1105 - Ingress Tool Transfer
T1567 - Exfiltration over web service
T1486 - Data encrypted for impact
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in Hive attacks:
|Initial Access||Execution||Discovery||Lateral Movement||Defense Evasion||Exfiltration|
Phishing emails with malicious attachments
Despite being relatively new, Hive ransomware has already made its mark as one of the most prolific and aggressive ransomware families today. Our detections of their malicious activities show that their operations are robust, thus providing an incentive for new affiliates to join them. Hive operators are also known to constantly refine and diversify their TTPs, so it is important for companies to stay vigilant and be well-informed of potential threats. An organization stands a better chance of addressing ransomware threats if they implement strong defenses early on.
To protect systems against similar threats, organizations can establish security frameworks that allocate resources systematically for establishing a strong defense strategy against ransomware.
Here are some best practices that organizations can consider:
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.