Blog: DFIR
Hive Ransomware is on the rise. How should you deal with it?
Why Now?
Hive is not a new problem. It first surfaced in 2021 but it’s becoming a much bigger issue now. This is due to a growing number of affiliates and therefore attacks. 2022 has seen more widespread country and industry target interest too.
Ransomware growth in general is becoming a massive problem, so much so that these incidents now make up the majority of UK government crisis management COBRA meetings.
What is Hive Ransomware?
Hive is ransomware-as-a-service (RaaS). It’s maintained by dedicated developers with affiliates using it to conduct high impact ransomware attacks with far reaching consequences.
Hive is organised in such a way that they have customer service, help desk, and sales departments. Victims are even directed to log in to a portal to make payment, using credentials the attackers drop in one of the files they leave behind after an attack.
Who is this Threat Group?
The Hive gang is a Ransomware as a Service (RaaS) provider first identified in June 2021. Although relatively new, their aggressive tactics and ever evolving malware variants have made them one of the most successful RaaS groups of its kind.
It’s claimed some big victims, for example Tata Power just one month ago.
How are they targeting victims?
Phishing emails are sent with malicious payloads (e.g. Cobalt Strike) to get VPN credentials, and then scan for vulnerable remote desktop servers for lateral movement.
What do they do once they’re inside?
It’s all about data exfiltration, with encryption of files on the network.
Why should I act now?
Cybersecurity experts largely believe Hive is allied with Conti. The Hive ransomware gang is just over a year old but has already allied with more traditional ransomware groups, promoting itself as one of the top three most active ransomware groups in July 2022.
The gang is more active and aggressive than ever, with the affiliates attacking between three to five organisations every day since the operation became known in late June 2021.
On 17th November 2022 the hacker group claimed responsibility of taking down a USA based health care provider. Hive appears to have demanded a ransom of $900,000. In exchange, the organisation would agree to delete all the data.
TechRepublic amongst other outlets on the on 25th October 2022 named Hive Ransomware within the current top four most dangerous and destructive ransomware groups of 2022. Attacks from this gang alone jumped by 188% from February to March 2022, according to NCC’s March Cyber Threat Pulse report. This ransomware variant was also one of the top four most observed in Q3 of 2022 it is expected to only get more prominent as more affiliates use RaaS with new vulnerabilities such as zero-day attacks to aid in initial intrusion.
In Q3 2022 Hive ransomware hit 15 countries, with the US and UK being the top targets, respectively.
The ransomware is super-fast, capable of encrypting 4GB of data per minute. Hive hires penetration testers, access brokers, and other threat actors who continue to develop the threat, techniques, and tactics.
In May 2022 the gang targeted Costa Rica when the country was reeling from a cyberattack by Conti. Only weeks after the Costa Rican president declared an emergency following that first ransomware attack Hive joined in and crippled the country’s public health service, the Costa Rican Social Security Fund.
Has it really got more serious? Why should I be concerned?
Hive ransomware was last upgraded in July 2022, according to Microsoft Threat Intelligence Centre (MSTIC). Researchers noted that Hive migrated its malware code from GoLang to Rust last month. Rust offers memory, data type, thread safety, deep control over low-level resources, a user-friendly syntax, access to a variety of cryptographic libraries, and is relatively more difficult to reverse-engineer.
The July update also includes string encryption and more complicated encryption mechanisms that leverage Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher). Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension.
I run Linux so I’m OK, right?
Hive introduced Linux and FreeBSD encryption capabilities in October 2021. At the time ESET, who discovered these capabilities, clarified that the Linux variant of the ransomware was functionally inadequate compared to its Windows variant. ‘Functionally inadequate’ doesn’t mean that Linux is safe though.
What have Hives core target industries looked like?
The industrials sector is still the most common target however hive have broadened their target victims to include energy, resources, agriculture, academic, educational, science institutions, car dealerships, financial, media, electronic distributers and healthcare. In November 2022 Q3, the Hive ransomware hit 15 countries, with the U.S. and the U.K. as the top two targets respectively.
What can be done to mitigate?
Better focus on preventing social engineering attacks, adopt defines-in-depth combination of policies, technical defences, and education for end users” Human errors is currently responsible for 82% of data breaches according to Verizon’s 2022 Data Breach Investigations Report.
Patch patch patch! Monitor the CISA’s Known Exploited Vulnerability Catalogue to identify weaknesses.
Hive is famously seeking targets using vulnerable Exchange Servers, with some of the critical vulnerabilities and inclusive patch information detailed below:
- CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
- CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability
Implement, develop phishing-resistant multi-factor authentication (MFA) technique.
Where SIEM or ELK Stack solutions are in force, develop the decoders and rules.
Hive is in my organisation, what happens now and what should I do?
I strongly encourage organisations to start action now to mitigate and reduce the risk and impact of ransomware incidents. Below are areas to focus on when looking at your SIEM, EDR and monitoring solutions.
Once in your estate Hive ransomware will immediately start working on evasion detection, by executing processes. This is how you deal with it.
Hive behaviour: Identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption.
Advice: NGAVs will typically pick up on this behaviour these days, however offsite backups should be adopted.
Hive behaviour: Remove all existing shadow copies and stop the volume shadow copy services via vssadmin on command line or via PowerShell.
Advice: NGAVs will typically pick up on this behaviour these days, however offsite backups should be adopted.
Hive behaviour: Delete Windows event logs, specifically the System, Security and Application logs.
Advice: Make sure you are forwarding logs to an external source that cannot be moved to laterally by the threat actors, ensure logs are also replicated elsewhere or offline storage/backup is utilised which can later be restored.
Also, implement data backups and encrypt data at rest, also practice your recovery procedures with regular drills.
Quickly isolate any infected devices to prevent the ransomware from spreading further throughout your network. To do this, IT administrators must have up-to-date knowledge of all assets in the organisation and the tools to easily manage them, depending on how far the attack is in progress it may be prudent to shut down affected machines immediately, if backups are not available a provider may be able to perform data carving on offline-disks however this is a long-winded process so concentrate on you most critical data assets.
If your data has been stolen, take steps to protect your company and notify those who might be affected. It is recommended to report the attack right away to the authorities who may have knowledge of other attacks and can aid in an investigation by sharing knowledge.
Contact us if you need help.