Hive ransomware operators have successfully extorted $100 million in ransom payments from over 1,300 companies across the world, as of November 2022, reported the cybersecurity and intelligence authorities.
“Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment.”
Threat actors targeted a wide range of organizations and critical infrastructure sectors including Government Facilities, Communications, Critical Manufacturing, and Information Technology (HPH), particularly Healthcare and Public Health.
Hive is one of the quickest evolving ransomware families which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network. After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks.”
The latest variant introduced by this ransomware is written in Rust language as opposed to the previous variants, which were written in GoLang or Go.
The new variation employs a unique collection of algorithms, including Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305″ (authenticated encryption with ChaCha20 symmetric cipher)
The latest Hive version, which was discovered in June 2022, approaches file encryption in a distinctive manner. It produces two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, with a .key extension.
The alert points out that the technique of the initial intrusion depends on which affiliate targets the network. The threat actors were observed gaining initial access to victim networks by using single-factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols. In some attacks the group was able to bypass multifactor authentication (MFA) and gained access to FortiOS servers by exploiting the CVE-2020-12812 vulnerability.
In the latest alert, it was emphasized that the initial intrusion method would vary depending on which affiliate targets the network.. Single-factor logins using Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols were used by the threat actors to acquire early access to target networks.
Also, the group was able to circumvent multifactor authentication (MFA) and get access to FortiOS servers in certain attacks by exploiting the CVE-2020-12812 vulnerability.
The threat actors also gained initial access to victim networks via phishing attacks delivering weaponized documents and by exploiting the following flaws in Microsoft Exchange servers:
Hive actors most likely use Rclone and the cloud storage service Mega.nz to exfiltrate data [T1537]. Hive ransomware has known versions targeting Linux, VMware ESXi, and FreeBSD in addition to its capabilities against Microsoft Windows.
The objective of the alert is to assist defenders in spotting malicious activity connected to Hive affiliates and lessening or eliminating the effects of such incidents. Specialists also warn about the possibility of Hive operators reinfecting the victim’s networks with Hive or another ransomware strain.