Hive Ransomware

Author: Christopher Kim

 

1. Executive Summary

On 25 August, the Federal Bureau of Investigation (FBI) released a flash alert that describes the Hive ransomware and related indicators of compromise (IOCs).¹ According to the flash alert, Hive was discovered in June 2021 and likely operates as an affiliate-based ransomware.² It uses common ransomware tactics, techniques, and procedures (TTPs) to compromise victims’ machines, bypass anti-malware, and then steal sensitive data and encrypt system files. In addition, Hive leaves an unencrypted, plain-text note that threatens to leak the victim’s data on the TOR website HiveLeaks unless the victim pays a ransom. This behavior is consistent with the recent trend wherein many ransomware campaigns attempt to extort victims and most exfiltrate data.^{3, 4}

2. Analysis

To gain a foothold in a victim’s network, Hive uses spear-phishing emails with attachments. Upon obtaining the user’s network credentials, Hive attempts to infect the network laterally, by using the Remote Desktop Protocol (RDP).

To avoid anti-malware defenses, Hive terminates computer backup and restore, antivirus and antispyware, and file copying. After encrypting files and saving them with a .hive extension, Hive creates batch files hive.bat and shadow.bat, which contain commands for the computer to delete the Hive executable, disc backup copies or snapshots, and the batch files. This is a common technique used by malware to reduce available forensic evidence.

Finally, Hive drops a ransom note, HOW_TO_DECRYPT.txt, into each affected directory. The note explains that encrypted files are not decryptable without the master key, which is in the actors’ possession. In addition, the note contains the login details for the TOR website that the victim can use to pay the ransom, and it threatens to leak the victim’s sensitive data on the HiveLeaks TOR website.

In some attacks, in addition to offering live chat on their TOR website, the actors have called the victims directly and demanded a payment in return for the master key. Payment deadlines range from 2 to 6 days, but in some incidents, the actors prolonged the deadline after establishing communication with the victim company.

3. Prevention and Mitigation

The FBI discourage victims from paying ransom; submitting to the demands of threat actors not only enriches them but also incentivizes them to continue their malicious campaigns. In addition, paying ransom does not guarantee that victims would recover their files and would not come under another attack from the same actors. Victims should carefully evaluate all options to protect their shareholders, employees, and customers. The FBI recommend the following actions for mitigation and prevention of ransomware attacks:

• Back-up critical data offline.
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
• Secure back-ups and ensure data are not accessible for modification or deletion from the system where the data resides.
• Use two-factor authentication with strong passwords, including for remote access services.
• Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable.
• Keep computers, devices, and applications patched and up-to-date.
• Install and regularly update anti-virus or anti-malware software on all hosts.
• Review the following additional resources.
  • The joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
  • The Cybersecurity and Infrastructure Security Agency-Multi-State Information Sharing & Analysis Center Joint Ransomware Guide covers additional best practices and ways to prevent, protect, and respond to a ransomware attack.
  • StopRansomware.gov is the U.S. Government’s official one-stop location for resources to tackle ransomware more effectively.

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) recommend the following actions for organizations that have fallen victim to ransomware attacks:

• Isolate the infected system. Remove the infected system from all networks, and disable the computer’s wireless, Bluetooth, and any other potential networking capabilities. Ensure all shared and networked drives are disconnected, whether wired or wireless.
• Turn off other computers and devices. Power-off and segregate (i.e., remove from the network) the infected computer(s). Power-off and segregate any other computers or devices that share a network with the infected computer(s) that have not been fully encrypted by ransomware. If possible, collect and secure all infected and potentially infected computers and devices in a central location, making sure to clearly label any computers that have been encrypted. Powering-off and segregating infected computers and computers that have not been fully encrypted may allow for the recovery of partially encrypted files by specialists.
• Secure backups. Ensure that backup data is offline and secure. If possible, scan backup data with an antivirus program to check that it is free of malware.

4. Sample Ransom Note

A typical ransom note sent by Hive contains text similar to the following. To protect the public, the FBI have redacted some of the information.

Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose.To decrypt all the data or to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software.Please contact our sales department at: REDACTED Login: REDACTED Password: REDACTED To get access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: – Do not shutdown or reboot your computers, unmount external storages. – Do not try to decrypt data using third party software. It may cause irreversible damage. – Do not fool yourself. Encryption has perfect secrecy and it’s impossible to decrypt without knowing the key. – Do not modify, rename or delete *.key.k6thw files. Your data will be undecryptable. – Do not modify or rename encrypted files. You will lose them. – Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased. – Do not reject to purchase. Your sensitive data will be publicly disclosed.

5. Indicators of Compromise

The FBI have identified the following IOCs from previous Hive ransomware campaigns. Some of these IOCs are used by legitimate applications and are not inherently malicious. The FBI recommend removing all applications not deemed necessary for day-to-day operations.

Indicators	Description
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd[.]onion hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd[.]onion	HiveLeaks TOR website
321d0c4f1bbb44c53cd02186107a18b7a44c840a9a5f0a78bdac06868136b72c	Winlo.exe SHA256
04FB3AE7F05C8BC333125972BA907398	7zG.exe MD5
BEE9BA70F36FF250B31A6FDF7FA8AFEB	Winlo_dump_64_SCY.exe
HOW_TO_DECRYPT.txt	Ransom note filename
hive.bat shadow.bat	Self-delete batch filenames
https://anonfiles[.]com https://mega[.]nz https://send[.]exploit[.]in https://ufile[.]io https://www.sendspace[.]com	Links for anonymous sharing of files

Endnotes

1. https://www.ic3.gov/Media/News/2021/210825.pdf
2. A ransomware affiliate refers to a person or group who rents access to Ransomware-as-a-Service (RaaS) platforms.
3. https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion
4. https://healthitsecurity.com/news/70-ransomware-attacks-cause-data-exfiltration-phishing-top-entry-point