Rewterz Threat Alert – Hive Ransomware Received Approximately US$100 Million In Ransom Payments – Active IOCs

Severity

High

Analysis Summary

Hive ransomware operators have successfully extorted $100 million in ransom payments from over 1,300 companies across the world, as of November 2022, reported the cybersecurity and intelligence authorities.

“Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment.”

Threat actors targeted a wide range of organizations and critical infrastructure sectors including Government Facilities, Communications, Critical Manufacturing, and Information Technology (HPH), particularly Healthcare and Public Health.

Hive is one of the quickest evolving ransomware families which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network. After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks.”

The latest variant introduced by this ransomware is written in Rust language as opposed to the previous variants, which were written in GoLang or Go. 

The new variation employs a unique collection of algorithms, including Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305″ (authenticated encryption with ChaCha20 symmetric cipher)

The latest Hive version, which was discovered in June 2022, approaches file encryption in a distinctive manner. It produces two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, with a .key extension.

The alert points out that the technique of the initial intrusion depends on which affiliate targets the network. The threat actors were observed gaining initial access to victim networks by using single-factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols. In some attacks the group was able to bypass multifactor authentication (MFA) and gained access to FortiOS servers by exploiting the CVE-2020-12812 vulnerability.

In the latest alert, it was emphasized that the initial intrusion method would vary depending on which affiliate targets the network.. Single-factor logins using Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols were used by the threat actors to acquire early access to target networks.

Also, the group was able to circumvent multifactor authentication (MFA) and get access to FortiOS servers in certain attacks by exploiting the CVE-2020-12812 vulnerability.

The threat actors also gained initial access to victim networks via phishing attacks delivering weaponized documents and by exploiting the following flaws in Microsoft Exchange servers:

• CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
• CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability

Hive actors most likely use Rclone and the cloud storage service Mega.nz to exfiltrate data [T1537]. Hive ransomware has known versions targeting Linux, VMware ESXi, and FreeBSD in addition to its capabilities against Microsoft Windows.

The objective of the alert is to assist defenders in spotting malicious activity connected to Hive affiliates and lessening or eliminating the effects of such incidents. Specialists also warn about the possibility of Hive operators reinfecting the victim’s networks with Hive or another ransomware strain.

Impact

• Unauthorized Access 
• Data Exfiltration 
• File Encryption

Indicators of Compromise

Domain Name

asq.r77vh0.pw
asq.d6shiiwz.pw
asq.swhw71un.pw
asd.s7610rir.pw

IP

83.97.20.81
5.199.162.220
46.166.161.93
46.166.162.96
46.166.169.34
84.32.188.238

MD5

9a62501aeac857da85df49f2ea7a48dc
d933f1d83fafee204a0414734b4f7cfb

SHA-256

a2ad0442cebe3e6abb86069a3b66b471b4a7c9d00286da4b8114d17a849128d6
a4878bb4655f21dd34b5a8a853ebea6b9cca292190c6ca180b4afe44077002ab

SHA-1

ba733d097feb7f9a20b84c6f029a742ea49eeb1a
2005a16d717f4b6a52c54e59b9a7bf7db387e5c2

Remediation

• Search for IOCs in your environment. 
• Block all threat indicators at your respective controls.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders