Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.
In addition to using social engineering techniques, such as phishing, to deliver the payload, Hive uses a number of other advanced techniques to exploit vulnerabilities on public-facing systems, and to obtain leaked VPN credentials.
Hive uses the “double-extortion” technique, which means that it will extract copies of the victims’ data, and then threaten to publish the data on a Tor website called HiveLeaks, unless the ransom is paid.
Following a forensic investigation of Hive, it was discovered that it was able to encrypt the victim’s data in less than 72 hours after the initial infection.
The Main Components of a Hive Ransomware Attack
Hive ransomware attacks typically involve 6 key stages, which are as follows;
Stage 1: Identify ProxyShell vulnerabilities
Hive will first attempt to scan for and exploit, ProxyShell – a name given to a collection of Remote Code Execution (RCE) vulnerabilities associated with Microsoft Exchange Server. Exploiting ProxyShell will enable attackers to bypass authentication and execute code as a privileged user.
Stage 2: Install Webshell
If successful, the ransomware program will install a script, referred to as webshell, in a publicly accessible directory on the Exchange server. This script essentially creates a backdoor and enables PowerShell code to be executed on the compromised server, with system-level privileges.
Stage 3: Use Cobalt Strike to scope out the network
Webshell will establish a communication channel between the compromised server and the attacker’s Command & Control (C&C) server. Using this communication channel, the attacker will then proceed to use a penetration testing framework called Cobalt Strike, which provides a number of additional tools to help them conduct reconnaissance activities.
Stage 4: Use Mimikatz and Pass-The-Hash to extract credentials
Since the attacker now has system-level privileges, they are able to create a new system administrator account, then, with the help of Mimikatz and Pass-The-Hash, they are able to extract the Domain Administrator NTLM hash from memory, and thus take control over the Domain Administrator account. From there, the attacker can do pretty much anything they want.
Stage 5: Scan all systems for critical assets
Once the attacker has compromised as many accounts as possible, they will then perform a search for all critical assets, including IP addresses, device names, backups, and other types of sensitive information.
Stage 6: Deploy the Ransomware program
A ransomware script called Windows.exe is delivered and executed on as many devices as possible, and, depending on how many vulnerabilities the attacker was able to exploit, or accounts they were able to compromise, the attack will spread laterally throughout the network, making those accounts and data inaccessible to the target organization. The victim will then be presented with a plain text ransom note, providing them with instructions on how to pay the ransom.
Tips for Preventing a Hive Ransomware Attack
- Ensure that Exchange Server has the latest patches installed.
- Enforce the use of strong passwords, consider rotating passwords periodically, and use MFA where possible.
- Enforce the “least privilege” access model to ensure that users are granted the least privileges they need to perform their role. This includes revoking local admin permissions for domain accounts.
- Ensure that any inactive user accounts are known about, and managed accordingly.
- Block SMBv1 usage and use SMB signing to prevent pass-the-hash attacks.
- Monitor access to privileged accounts and critical assets.
- Educate employees about data security best practices, to ensure that they are vigilant when it comes to identifying and reporting suspicious emails.
- Use a real-time auditing solution that can automatically detect and respond to events that match a pre-defined threshold condition, such as when x number of files are copied or encrypted within a given time-frame. If the threshold condition is met, a custom script will be executed, which may disable accounts, stop specific processes, change the firewall settings, shut down the infected device/server, and so on.