Ransomware Spotlight: Hive
Overview of Hive’s operations
Hive operations are more prolific than their leak site might suggest. HiveLeaks only publishes the list of victims that have not settled the ransom, so it is tough to determine which — or how many — companies decided to pay the ransom. A report indicates that attack attempts by Hive affiliates hit an average of three companies per day since the group was first discovered in June 2021. The report also mentioned that security researchers who got access to information directly from the administrator panel of the Hive Tor site discovered that the number of enterprises whose systems had been compromised have reached 355 from September to December 2021.
Intelligence gathered by the researchers further revealed that the founders of the group deliberately put systems in place to achieve as much ease and transparency as possible particularly in the process of ransomware deployment and negotiations. Researchers also learned that the generation of malware versions by affiliates can be done within 15 minutes, while negotiations are coursed through the Hive ransomware administrators who relay the message to the victims in a chat window that the affiliates can see.
Researchers also shared that affiliates can see on the Hive administrator panel how much money was collected, the list of companies that paid, and those whose information was leaked.
The group’s emphasis on operational efficiency and transparency is key to enticing new affiliates. It suggests that the group is aiming for sustainability by creating an environment that is conducive to building a bigger and stronger affiliate base.
Of note is that some enterprises complained about the decryption tool that Hive operators provided after settling the ransom. Reports said it lacked proper functionality and claimed that the Master Boot Records of their virtual machines were corrupted, rendering them incapable of booting.
Top affected countries and industries
Targeted regions and sectors according to Hive’s leak site
Infection chain and techniques
Hive operators breach systems through phishing emails with malicious attachments. We also observed Microsoft Exchange as a possible entry point for Hive ransomware based on our detection of the same post-exploitation scripts that can be found in the technique used to exploit ProxyShell-related vulnerabilities. These vulnerabilities were identified as CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523.
Hive operators attempt to run the persistence technique for a Cobalt Strike beacon that can be used as a C&C method to accomplish lateral movement once they intrude into the system. Right after the attempt, Hive operators start to unload or uninstall antivirus (AV) products in the system so they can proceed to the download and execution of hacking tools such as PCHunter, GMER, and TrojanSpy.DATASPY. They use these tools to unload other AV products as a tactic to evade detection. We also observed the presence of WMI used to deploy uninstallation scripts and ransomware across the networks for lateral movement.
Defense Evasion, Discovery, and Credential Access
We observed the presence of PCHunter and GMER as their tools to discover and terminate services or processes to disable AV software. We also detected the use of TrojanSpy.DATASPY to gather information in the system such as machines in the network and the presence of specific AV products. In another attack, the threat actors deployed KillAV to terminate several AV products, also to avoid detection.
Our detections showed that the Hive operators use 7-Zip tool to archive stolen data for exfiltration. Moreover, the gang abuses anonymous file-sharing services such as MEGASync, AnonFiles, SendSpace, and uFile to exfiltrate data.
The ransomware payload proceeds with the encryption routine upon execution. The ransomware generates a random key that is used to encrypt based on RTLGenRandom API, which will be initially saved on the device’s memory. The key is then used in what appears to be a custom implementation of the encryption process.
The key also encrypts through RSA via GoLang’s implementation of RSA encryption. It accomplishes the RSA encryption through a list of public keys embedded in the binary. It is then saved as
The generated key will then be wiped from memory, leaving the encryption key as the only copy of the key for decryption.
MITRE tactics and techniques
|Initial Access||Execution||Persistence||Defense Evasion||Discovery||Lateral Movement||Collection||Command and Control||Exfiltration||Impact|
T1566.001 - Phishing: Spear-phishing attachment
T1190 - Exploit public-facing application
T1078 - Valid accounts
T1106 - Native API
T1059.003 - Command and scripting interpreter: Windows Command Shell
T1059.001 - Command and scripting interpreter: PowerShell
T1053.005 - Scheduled Task/Job: Scheduled TaskRegisters and executes malicious tasks
T1204 - User execution
T1047 - Windows Management Instrument
T1053.005 - Boot or logon autostart execution
T1068 - Exploitation for Privilege Escalation
T1562.001 - Impair Defenses: Disable or Modify Tools
T1083 - File and directory discovery
T1018 - Remote system discovery
T1057 - Process discovery
T1063 - Security software discovery
T1049 - System Network Connections Discovery
T1135 - Network Share Discovery
T1570 - Lateral tool transfer
T1021.002 - Remote services: SMB/Windows admin shares
T1021.006 - Remote Services: Windows Remote Management Uses WMI to execute and deploy uninstallation scripts and the ransomware payload.
T1005 - Data from local system
T1560.001 - Archive Collected Data: Archive via Utility
T1105 - Ingress Tool Transfer
T1567 - Exfiltration over web service
T1486 - Data encrypted for impact
Summary of malware, tools, and exploits used
Security teams can watch out for the presence of the following malware tools and exploits that are typically used in Hive attacks:
|Initial Access||Execution||Discovery||Lateral Movement||Defense Evasion||Exfiltration|
Phishing emails with malicious attachments
Despite being relatively new, Hive ransomware has already made its mark as one of the most prolific and aggressive ransomware families today. Our detections of their malicious activities show that their operations are robust, thus providing an incentive for new affiliates to join them. Hive operators are also known to constantly refine and diversify their TTPs, so it is important for companies to stay vigilant and be well-informed of potential threats. An organization stands a better chance of addressing ransomware threats if they implement strong defenses early on.
To protect systems against similar threats, organizations can establish security frameworks that allocate resources systematically for establishing a strong defense strategy against ransomware.
Here are some best practices that organizations can consider:
Audit and inventory
- Take an inventory of assets and data
- Identify authorized and unauthorized devices and software
- Audit event and incident logs
Configure and monitor
- Manage hardware and software configurations
- Grant admin privileges and access only when necessary to an employee’s role
- Monitor network ports, protocols, and services
- Activate security configurations on network infrastructure devices such as firewalls and routers
- Establish a software allowlist that only executes legitimate applications
Patch and update
- Conduct regular vulnerability assessments
- Perform patching or virtual patching for operating systems and applications
- Update software and applications to their latest versions
Protect and recover
- Implement data protection, backup, and recovery measures
- Enable multifactor authentication (MFA)
Secure and defend
- Employ sandbox analysis to block malicious emails
- Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network
- Detect early signs of an attack such as the presence of suspicious tools in the system
- Use advanced detection technologies such as those powered by AI and machine learning
Train and test
- Regularly train and assess employees on security skills.
- Conduct red-team exercises and penetration tests.
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.
- Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools before the ransomware can do any damage.
- Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine learning.
- Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block malicious emails, including phishing emails that can serve as entry points for ransomware.
- Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats and ransomware, ensuring the protection of endpoints.
Indicators of Compromise (IOCs)
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report