Rewterz Threat Alert – Hive Ransomware Extorted $100M From Over 1,300 Companies Worldwide – Active IOCs

Severity

High

Analysis Summary

As of November 2022, Hive ransomware operators have successfully extorted $100 million in ransom payments from over 1,300 companies across the world, reported the cybersecurity and intelligence authorities.

“Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment.”

Threat actors targeted a wide range of organizations and critical infrastructure sectors including Government Facilities, Communications, Critical Manufacturing, and Information Technology (HPH), particularly Healthcare and Public Health.

Hive is one of the quickest evolving ransomware families which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network. After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks.”

The latest variant introduced by this ransomware is written in Rust language as opposed to the previous variants, which were written in GoLang or Go. 

The new variation employs a unique collection of algorithms, including Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305″ (authenticated encryption with ChaCha20 symmetric cipher)

The latest Hive version, which was discovered in June 2022, approaches file encryption in a distinctive manner. It produces two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, with a .key extension.

The alert points out that the technique of the initial intrusion depends on which affiliate targets the network. The threat actors were observed gaining initial access to victim networks by using single-factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols. In some attacks the group was able to bypass multifactor authentication (MFA) and gained access to FortiOS servers by exploiting the CVE-2020-12812 vulnerability.

In the latest alert, it was emphasized that the initial intrusion method would vary depending on which affiliate targets the network.. Single-factor logins using Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols were used by the threat actors to acquire early access to target networks.

Also, the group was able to circumvent multifactor authentication (MFA) and get access to FortiOS servers in certain attacks by exploiting the CVE-2020-12812 vulnerability.

The threat actors also gained initial access to victim networks via phishing attacks delivering weaponized documents and by exploiting the following flaws in Microsoft Exchange servers:

• CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
• CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability

The objective of the alert is to assist defenders in spotting malicious activity connected to Hive affiliates and lessening or eliminating the effects of such incidents.

Specialists also warn about the possibility of Hive operators reinfecting the victim’s networks with Hive or another ransomware strain.

Impact

• Unauthorized Access 
• Data Exfiltration 
• File Encryption

Indicators of Compromise

IP

• 89.147.109.208
• 5.61.37.207
• 5.199.162.229
• 46.166.161.123
• 46.166.162.125
• 83.97.20.81
• 84.32.188.57
• 93.115.25.139
• 93.115.27.148
• 185.8.105.67
• 185.8.105.112
• 186.111.136.37
• 84.32.188.238
• 185.8.105.67
• 185.8.105.112
• 192.53.123.202

MD5

• 257cd3ef7ac49a4b7942f7b61ca10b6c
• 524065ad3f33adcf7784f997d1089af4

SHA-256

• 585900f8de74f4be48011f47c91373a7a4bb97bfc2324144b61e4f4fa8ef4aa5
• fc28a355483acd3c0e81891822e81e9989d45b4d9bc8a33096d92c3a227b92de

SHA-1

• a0043163d33e25ba2a62c5061fd641c44807b492
• 754e4389ce52c20629154313a8f19251b05f7e75

Remediation

• Search for IOCs in your environment. 
• Block all threat indicators at your respective controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders