Threat Research

#StopRansomware: Hive Ransomware | CISA

Securonix

Hive ransomware operates as a ransomware-as-a-service (RaaS) that has victimized thousands across sectors like Healthcare and Public Health, encrypting data and threatening leaks. The advisory inventories Hive’s TTPs, IOCs, and mitigations, including initial access via RDP/VPN, Exchange vulnerabilities, phishing, and defense-evasion steps, to help defenders reduce impact. #HiveRansomware #HiveLeaks

Keypoints

  • Hive operates as a ransomware-as-a-service (RaaS) with developers/affiliates; over 1,300 companies affected and about $100 million in ransom payments (as of Nov 2022).
  • Initial access methods include single-factor logins via RDP/VPN, MFA bypass via CVE-2020-12812 on FortiOS, phishing with malicious attachments, and exploitation of Microsoft Exchange vulnerabilities (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523).
  • Post-intrusion, Hive evades detection by stopping backups, deleting shadow copies, and disabling Windows Defender/antivirus; it also destroys event logs.
  • Hive exfiltrates data using cloud services (e.g., Mega.nz) and tools like Rclone; variants exist for Linux, VMware ESXi, and FreeBSD.
  • During encryption, a *.key file is created; ransom notes HOW_TO_DECRYPT.txt explain decryption constraints and TOR-based HiveLeaks for payment negotiation, with additional data leakage sites.
  • MITRE-aligned techniques include T1133, T1190, T1566.001, T1059, T1070, T1112, T1562, T1537, T1486, and T1490; recommended mitigations cover patching, MFA, RDP hardening, offline backups, logging, and network monitoring.
  • Organizations are urged to isolate incidents, secure backups, and report incidents to FBI/CISA; additional protective controls and identity/access management practices are outlined.

MITRE Techniques

  • [T1133] External Remote Services – Hive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols. ‘Hive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols.’
  • [T1190] Exploit Public-Facing Application – Hive actors gain access by exploiting Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207. ‘exploiting the following Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.’
  • [T1566.001] Phishing – Hive actors gain access by distributing phishing emails with malicious attachments. ‘distributing phishing emails with malicious attachments [T1566.001]’
  • [T1059] Command and Scripting Interpreter – Hive stops volume shadow copy services and removes shadow copies via vssadmin on command line or PowerShell. ‘stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or via PowerShell’
  • [T1070] Indicator Removal on Host – Hive deletes Windows event logs (System, Security, Application). ‘Delete Windows event logs, specifically the System, Security and Application logs [T1070].’
  • [T1112] Modify Registry – Hive sets registry values to disable security defenses. ‘removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry [T1112].’
  • [T1562] Impair Defenses – Hive terminates processes related to backups/antivirus to facilitate encryption. ‘identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption [T1562].’
  • [T1537] Transfer Data to Cloud Account – Hive exfiltrates data using Rclone and Mega.nz. ‘exfiltrate data likely using a combination of Rclone and the cloud storage service Mega.nz [T1537].’
  • [T1486] Data Encrypted for Impact – Ransom note HOW_TO_DECRYPT.txt states the *.key file cannot be modified/renamed/deleted to recover files. ‘HOW_TO_DECRYPT.txt … states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered [T1486].’
  • [T1490] Inhibit System Recovery – Hive stops shadow copies to hinder recovery. ‘look to stop the volume shadow copy services and remove all existing shadow copies via vssadmin via command line or PowerShell.’

Indicators of Compromise

  • [File] context – HOW_TO_DECRYPT.txt, *.key, hive.bat, shadow.bat, Windows_x64_encrypt.exe, Windows_x64_encrypt.dll; Windows_x32_encrypt.exe, Windows_x32_encrypt.dll, Linux_encrypt, Esxi_encrypt
  • [Event] context – System/Security/Application event logs wiped; Defender protection disabled; shadow copies deleted
  • [Process/Command] context – wevtutil.exe cl system, wevtutil.exe cl security, wevtutil.exe cl application, vssadmin.exe delete shadows /all /quiet, wmic.exe SHADOWCOPY /nointeractive, wmic.exe shadowcopy delete
  • [Domain/URL] context – HiveLeaks TOR site; anonymous file sharing sites: anonfiles.com, mega.nz, send.exploit.in, ufile.io, sendspace.com, privatlab.net, privatlab.com
  • [IP] context – Potential IOC IP Addresses for Compromise or Exfil: 84.32.188.57, 84.32.188.238, 93.115.26.251, 185.8.105.67, 181.231.81.239, 185.8.105.112

Read more: https://www.cisa.gov/uscert/ncas/alerts/aa22-321a