Hive: In-Depth Analysis, Detection, and Mitigation
Summary of Hive Ransomware
Hive ransomware emerged in June 2021. Hive practices double extortion, demanding payment for a decryptor as well as for the non-release of stolen data. Hive operates as a RaaS (Ransomware-as-a-Service) and their campaigns are characterized as being aggressive and rapid. The payloads are non-stealth in their execution and full drive encryption can be achieved in just a few minutes. Hive operators make significant use of COTS tools and LOLBins during all stages of attack. They are also known to frequently attack healthcare and education organizations.
What Does Hive Ransomware Target?
Hive ransomware targets a wide range of industries including healthcare, finance, retail, energy and manufacturing.
Update: In January 2023, the United States Department of Justice announced the disruption of Hive’s ransomware operations. Hive operations remained dormant following this operation until their reemergence in October 2023 under the moniker ‘Hunters International’.
How Does Hive Ransomware Spread?
Hive ransomware can be deployed in various ways, such as with Cobalt Strike or a similar framework, as well as through email phishing. Additionally, it targets vulnerabilities in RDP and VPN services. Hive actors are adept at advanced MFA bypasses, as well as exploitation of advanced vulnerabilities including CVE-2020-12812 (FortiOS) and CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523 (all Microsoft Exchange)
Hive Ransomware Technical Details
Hive actors gain initial access to victim networks in various ways. Hive actors have exploited single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs) and other network connection protocols . In some cases, they have bypassed multifactor authentication (MFA) and exploited CVE-2020-12812 to gain access to FortiOS servers. This vulnerability allows a malicious actor to log in without prompting for a second authentication factor (FortiToken) by changing the case of the username. Additionally, they have distributed phishing emails with malicious attachments and exploited vulnerabilities against Microsoft Exchange servers.
Hive uses a number of custom pre-deployment PowerShell and BAT scripts to prepare the environment for distribution of the ransomware. ADFind, SharpView, and BloodHound are used for Active Directory enumeration. Password spraying is performed with SharpHashSpray and SharpDomainSpray, while Rubeus is used to request TGTs (Kerberos Ticket Granting Ticket). Cobalt Strike is used by Hive operators, and several different Cobalt Strike loaders have been identified including a IPfuscated loader, a Golang loader, and a vanilla/native beacon DLL. Finally, GPOs and Scheduled Tasks are used to deploy digitally signed ransomware across the victim’s network.
Hive will attempt to inhibit system recovery by removing Volume Shadow Copies. VSS removal and timeout (execution delays) functions are handled via .BAT files dropped upon launch. Hive’s execution is both rapid and noisy. Full drive encryption can be achieved within minutes. Visible cmd-windows and excessive timeout calls make it far from ‘stealth’. Victims are instructed to visit the Hive payment and support portal via TOR.
How to Detect Hive Ransomware
- The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to Hive Ransomware
In case you do not have SentinelOne deployed, detecting ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.
To mitigate the risk of this Ransomware without SentinelOne deployed, it is important to take a multi-layered approach, which includes the following steps:
- Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
- Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers.
- Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.
- Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
- Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.
How to Mitigate Hive
- The SentinelOne Singularity XDR Platform can return systems to their original state (which is free from re-infection) using either the Repair or Rollback feature.
In case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of ransomware attacks:
- Educate employees: Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.
- Implement strong passwords: Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.
- Enable multi-factor authentication: Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.
- Update and patch systems: Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.
Implement backup and disaster recovery: Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location. The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.