Hive Ransomware: An Affiliate Double Extortion Threat Gaining Prominence

Malware

Share Blog Post

Origin: June 2021

Aliases: Hive

Targeted Sectors: NGO, Retail, Energy, Media, Education, Healthcare, Manufacturing, Telecommunication, Government, IT

Targeted Regions: Europe, Asia Pacific, North America, South America, Middle East

Motive: Ransom, Data Theft

Common Infection Vectors: Phishing, RDP Hijacking

Introduction

Hive is an affiliate-based ransomware family that first appeared in June 2021 and, within the span of a year, it became one of the key threats to enterprises worldwide. Written in Go, the operators behind the Hive ransomware are possibly Russian-speaking actors. Hackers use concurrency features of the language for faster encryption of files. The double extortion group also operates as a Ransomware-as-a-service (RaaS).

As noted in a Group-IB report, the group successfully penetrated the networks of 355 companies within a span of just six months. Furthermore, the group is infamous for aggressively targeting healthcare providers and hospitals. The group had targeted the healthcare sector during the testing times of the COVID-19 pandemic as well.

Tactics, Techniques, and Procedures (TTPs)

Initially, Hive did not have any public affiliate programs, and it was unknown whether the group used the RaaS model or operated as a private group. However, that clarity came later through an underground forum wherein a user was found promoting an affiliate program, which eventually turned out to be Hive.

The initial variants of this malware were Windows-specific, however, a new ransomware strain was observed in October 2021 that specifically targeted Linux and FreeBSD. A new variant surfaced in March 2022 wherein a new obfuscation technique (IPfuscation) was used by the Hive ransomware group. The same month, the operators converted their VMware ESXi Linux encrypter to the Rust language. The use of Rust language made the ransomware sample more efficient and harder to reverse engineer. This feature was reportedly borrowed from the BlackCat ransomware operation.

In parallel, a new ransomware named Nokoyawa was also spotted in the wild, which is believed to have links with Hive. Both the ransomware strains share several similarities including the use of Cobalt Strike and legitimate tools such as anti-rootkit scanners (for defense evasion).

Operational Details

Initial access

Hive’s affiliates use various mechanisms to infect victims' networks, such as phishing emails with malicious attachments, leaked VPN credentials, and abiding vulnerabilities on external-facing assets. For example, one of the Hive affiliates had successfully exploited Microsoft Exchange via vulnerabilities known as ProxyShell.

The payload execution

Upon execution, it terminates computer backup, antivirus, antispyware, and file copying features of the OS. Then, it identifies and stops database (SQL, Oracle, Postgres, Redis), backup (BMR, VSS), and protocol (sstp) services. It then terminates the mspub and msdesktop processes and uses hive[.]bat and shadow[.]bat to start the encryption process excluding the C:\Windows drive.

After infection, the ransomware first attempts to dump credentials, attempts to cache cleartext credential data, and then uses the ADrecon to map, traverse, and enumerate the Active Directory (AD) environment. Other legitimate tools used by Hive in their attacks are Cobalt Strike and ConnectWise to maintain persistence and for a better reach across the targeted network, respectively.

The ransom demand

In the end, the Hive drops a ransom note that threatens to publish the victim's data on the TOR website 'HiveLeaks' unless victims agree to the demands. For that, the victims are given unique credentials for the Hive Portal and a deadline of two to six days for payment. If not, the data will be leaked to HiveLeaks.

Attacks/Victimology

The group has been observed targeting multiple sectors, including nonprofits, retail, energy, media, education, manufacturing, telecommunication, material, technology, and government. The most targeted countries are Argentina, Brazil, the U.S., Thailand, Italy, Spain, Colombia, France, Saudi Arabia, and El Salvador. A report from Trend Micro has revealed that the most targeted sectors are energy, healthcare, and financial services.

Major attacks

Mitigation

To stay protected from the Hive ransomware, it is suggested to create, maintain, and follow a strategic cyber incident response plan, resiliency plan, along with associated communications plan in case of an incident. Immediately fix any internet-facing vulnerabilities and misconfigurations, and use email security gateways to reduce the risk of phishing emails from reaching end users. Additionally, remove applications that are not in use, and monitor abnormal termination of the BMR, SQL, Oracle, Postgres, Redis, VSS, backup, sst services along with mspub and msdesktop processes.

In fact, looking at the current threat environment, traditional threat intelligence management practices could also fall short when it comes to making time-critical decisions. Organizations can unlock new power by enabling faster collaboration through threat intel platforms, and thus make well-informed decisions against new or emerging threats by ingesting, correlating, and operationalizing high-fidelity threat intelligence.

Note: [In February 2022, researchers, theoretically, cracked the encryption code of Hive ransomware and weaponized the flaw to recover 92–98% of the master key. Due to this major development, it was possible to guess the keystreams and recover the master key to decode the encrypted files without needing a private key. Researchers are reportedly trying to find ways to leverage this method for developing a working decryptor.]

Conclusion

Hive ransomware is new yet has already become one of the most prolific and aggressive ransomware families that exist today. The ransomware operators are constantly refining and diversifying their TTPs to make their malware efficient. This makes it harder for the security community and organizations to stay protected. Entities with inadequate security measures in places are doomed to be targeted by the threats like Hive. Thus, organizations are suggested to stay vigilant and prepare themselves with adequate security in place.

Indicators of Compromise

Encrypted Files Extension

.hive (files are also appended with a random character string)

Ransom Demanding Message

HOW_TO_DECRYPT[.]txt

MD5

eb37bb967c8911ba8a3ad58e6a4a9578

SHA-1

0f9484948fdd1b05bad387b14b27dc702c2c09ed

SHA-256

ed614cba30f26f90815c28e189340843fab0fe7ebe71bb9b4a3cb7c78ff8e3d2

Vhash

08503e0f7d1bz4!z

Authentihash

2e29fe2ef4ed4917474ce22212fd3b1a756bd9aef176a0a6f55a3590d7c5e612

Imphash

6ed4f5f04d62b18d96b26d6db7c18840

SSDEEP

24576:D9gS/G42DNYpR+eDR/nw7U9arps7wd1d9w1TIo2:D9//G45R5hwg9arps7wd/y1Tj2

TLSH

T176053311FCEEFBB6C7267EB7B5E113C1549A7D2B679C862E507A322323840D0D46A624

New obfuscation technique

SHA256

065de95947fac84003fd1fb9a74123238fdbe37d81ff4bd2bff6e9594aad6d8b 0809e0be008cb54964e4e7bda42a845a4c618868a1e09cb0250210125c453e65 12d2d3242dab3deca29e5b31e8a8998f2a62cea29592e3d2ab952fcc61b02088 130c062e45d3c35ae801eb1140cbf765f350ea91f3d884b8a77ca0059d2a3c54 39629dc6dc52135cad1d9d6e70e257aa0e55bd0d12da01338306fbef9a738e6b 5086cc3e871cf99066421010add9d59d321d76ca5a406860497faedbb4453c28 56c5403e2afe4df8e7f98fd89b0099d0e2f869386759f571de9a807538bad027 60cfce921a457063569553d9d43c2618f0b1a9ab364deb7e2408a325e3af2f6f 6240193f7c84723278b9b5e682b0928d4faf22d222a7aa84556c8ee692b954b0 6a222453b7b3725dcf5a98e746f809e02af3a1bd42215b8a0d606c7ce34b6b2b 6bdd253f408a09225dee60cc1d92498dac026793fdf2c5c332163c68d0b44efd 9c90c72367526c798815a9b8d58520704dc5e9052c41d30992a3eb13b6c3dd94 9cd407ea116da2cda99f7f081c9d39de0252ecd8426e6a4c41481d9113aa523e a586efbe8c627f9bb618341e5a1e1cb119a6feb7768be076d056abb21cc3db66 c384021f8a68462348d89f3f7251e3483a58343577e15907b5146cbd4fa4bd53 c76671a06fd6dd386af102cf2563386060f870aa8730df0b51b72e79650e5071 e452371750be3b7c88804ea5320bd6a2ac0a7d2c424b53a39a2da3169e2069e9 e9bb47f5587b68cd725ab4482ad7538e1a046dd41409661b60acc3e3f177e8c4 e9da9b5e8ebf0b5d2ea74480e2cdbd591d82cd0bdccbdbe953a57bb5612379b0 efbdb34f208faeaebf62ef11c026ff877fda4ab8ab31e99b29ff877beb4d4d2b f248488eedafbeeb91a6cfcc11f022d8c476bd53083ac26180ec5833e719b844 e61ecd6f2f8c4ba8c6f135505005cc867e1eea7478a1cbb1b2daf22de25f36ce f07a3c6d9ec3aeae5d51638a1067dda23642f702a7ba86fc3df23f0397047f69 7667d0e90b583da8c2964ba6ca2d3f44dd46b75a434dc2b467249cd16bf439a0 75244059f912d6d35ddda061a704ef3274aaa7fae41fdea2efc149eba2b742b3 7e8dd90b84b06fabd9e5290af04c4432da86e631ab6678a8726361fb45bece58

a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749

50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609

5ae51e30817c0d08d03f120539aedc31d094b080eb70c0691bbfbaa4ec265ef3

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618

e1a7ddbf735d5c1cb9097d7614840c00e5c4d5107fa687c0ab2a2ec8948ef84e

ed614cba30f26f90815c28e189340843fab0fe7ebe71bb9b4a3cb7c78ff8e3d2

c5fe23c626413a18cba8fb4ea93df81529c85f470577fb9c2336d6b692689d9d

88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1

2f7d37c22e6199d1496f307c676223dda999c136ece4f2748975169b4a48afe5

fdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf

1e21c8e27a97de1796ca47a9613477cf7aec335a783469c5ca3a09d4f07db0ff

bf7bc94506eb72daec1d310ba038d9c3b115f145594fd271b80fbe911a8f3964

c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11

612e5ffd09ca30ca9488d802594efb5d41c360f7a439df4ae09b14bce45575ec

0df750bf15895d410c3f6ce45279ab0329c5c723af38b99aadc9a60bcdc9a71d

5954558d43884da2c7902ddf89c0cf7cd5bf162d6feefe5ce7d15b16767a27e5

SHA1

d83df37d263fc9201aa4d98ace9ab57efbb90922 49fa346b81f5470e730219e9ed8ec9db8dd3a7fa fa8795e9a9eb5040842f616119c5ab3153ad71c8 6b5036bd273d9bd4353905107755416e7a37c441 8a4408e4d78851bd6ee8d0249768c4d75c5c5f48 49fa346b81f5470e730219e9ed8ec9db8dd3a7fa 6e91cea0ec671cde7316df3d39ba6ea6464e60d9 24c862dc2f67383719460f692722ac91a4ed5a3b 415dc50927f9cb3dcd9256aef91152bf43b59072 2ded066d20c6d64bdaf4919d42a9ac27a8e6f174 27b5d056a789bcc85788dc2e0cc338ff82c57133

67f0c8d81aefcfc5943b31d695972194ac15e9f2

edba1b73ddd0e32784ae21844c940d7850531b82

2877b32518445c09418849eb8fb913ed73d7b8fb

cd8e4372620930876c71ba0a24e2b0e17dcd87c9

eaa2e1e2cb6c7b6ec405ffdf204999853ebbd54a

0f9484948fdd1b05bad387b14b27dc702c2c09ed

e3e8e28a70cdfa2164ece51ff377879a5151abdf

9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb

1cc80ad88a022c429f8285d871f48529c6484734

3b40dbdc418d2d5de5f552a054a32bfbac18c5cc

2f3273e5b6739b844fe33f7310476afb971956dd

7777771aec887896be773c32200515a50e08112a