By Aaron Sandeen, CEO and co-founder at Securin
Since June 2021, Hive Ransomware has been dominating the ransomware scene. Their reach has affected more than 1,500 organizations resulting in Hive receiving ransom payments totaling $100 million. With all the buzz they have created, it’s no wonder they have earned the title of one of the most prolific ransomware groups.
History of Hive Ransomware
Hive typically goes after nonprofits, retailers, energy providers, healthcare facilities, and others in similar spaces. Since June 2021, Hive has targeted an average of three companies per day. In only four months, Hive successfully infiltrated more than 350 organizations worldwide.
By the end of 2022, the education sector had seen increased ransomware attacks. Between November and December 2022, there were 24 disclosed and confirmed ransomware attacks, five against K-12 universities and schools. We now know that Hive was behind a couple of those attacks because they leaked the stolen data on their public leak site.
Deconstructing the Hive
Hive has built its ransomware-as-a-service operation around a team of developers who manage and create malware. Then affiliates carry out attacks on target networks by purchasing domains from initial access brokers. Hive uses its operators to carry out a standard double-extortion ransomware attack on its targets, where they encrypt systems, steal sensitive files and then demand a ransom payment from the victim in exchange for their private data not being released to the public.
Though it may seem like Hive targets its victims randomly, it can be deduced that they base their assessments on how easily they can compromise the victim for quick financial gains. Hive will do a deep dive into the organization they decide to target before they engage in any ransom payment negotiations. Typically, for the ransom Hive will ask for 1 percent of the company’s annual revenue. It should be noted that Hive is quick to lower its ransom demands. They will offer several substantial reductions through their negotiations.
Hive has successfully disguised its bad actors as customer service workers. Once trapped, Hive allows its victims to contact a customer service representative through a fake ‘customer service’ link provided at the time of encryption. When the victim has clicked the link, Hive’s ransomware group gets connected directly to the victim. From there, the victim enters a live chat with a Hive member, who will then negotiate a ransom payment amount.
Hive Ransomware added new additions to their VMware ESXi Linux encryptor in March of 2022. Now it is harder for security researchers to spy on a victim’s ransom negotiations because Hive also converted to the Rust programming language.
Following Conti Ransomware’s shutdown in May of 2022, its members filtered into smaller groups that partnered with Hive, HelloKitty, AvosLocker, BlackCat, BlackByte, and others. Some Conti members that joined the ranks at Hive Ransomware began leaking victim’s data on both Hive’s and Conti’s leak sites.
Hive Ransomware Attack Methodology
Initial Access Techniques:
-
Using single-factor logins via RDP, VPN, and other remote network connection protocols, Hive actors can access the victim’s networks.
-
Hive actors access victim networks by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021- 31207, and CVE-2021-42321. This is called Exploit Public-Facing Application. Bad actors like Hive may also use CVE-2021-33558, the newly discovered Boa vulnerability, to access a victim’s network.
-
Phishing – By circulating emails with malicious attachments, Hive actors can gain access to the victim’s networks.
Execution:
-
Use Command and Scripting Interpreter – Hive wants to stop the volume of shadow copy services and remove all existing shadow copies via vssadmin on the command line or PowerShell.
Defense Evasion:
-
Use Indicator Removal on Host – Hive actors will delete Windows event logs. Specifically, they will target the System, Security, and Application logs.
-
Modify Registry – Hive will set registry values for DisableAntiSpyware and DisableAntiVirus to 1.
-
Impair Defenses – Hive will seek to terminate all processes related to backups, antivirus/anti-spyware, and file copying.
Exfiltration:
-
Use Transfer Data to Cloud Account – Using a possible combination of Rclone and the cloud storage service Mega.nz, this is how Hive actors exfiltrate data from victims.
Impact:
-
Use Data Encrypted for Impact – Hive actors will send victims a ransom note into each affected directory which reads that the *.key file cannot be modified, renamed, or deleted. Otherwise, the encrypted files cannot be recovered.
-
Inhibit System Recovery – Hive actors look to remove all existing shadow copies via vssadmin via command line or PowerShell, virtually stopping the volume shadow copy services.
To limit the effects of ransomware attacks, it is now more critical than ever for cybersecurity measures to be taken within businesses and organizations. This is especially true for the education and healthcare sectors. K-12 schools and universities have seen an enormous uptick in paid ransoms, with an estimated $3.5 billion being paid in 2022 alone.
According to Securin’s Ransomware Spotlight Report 2023, there was a 19% rise in vulnerabilities associated with ransomware in 2022. A total of 344 vulnerabilities have been leveraged by ransomware groups thus far, of which 156 vulnerabilities are yet to be added to CISA’s KEV catalog. About 180 vulnerabilities have been actively searched as a point of interest by hackers and malicious actors such as HIVE.
The lesson to take away from Hive’s time as king of the ransomware hill is that it is imperative for enterprises to maintain a strong security posture. Reduce dangerous exposures by staying ahead of threat actors through prioritizing detection and prevention over recovery. Enterprises can gain the foresight needed to arrange their patching cadence, monitor their ransomware exposure, and better secure their network.