Uptick in Hive Ransomware Activity Spotted
The Federal Bureau of Investigation has issued a warning about Hive ransomware after the group took down IT systems at Memorial Health System last week (see Memorial Health System in Ohio Latest to Be Hit With Attack).
See Also: Top 50 Security Threats
The alert details indicators of compromise, tactics, techniques, and procedures (TTPs) associated with ransomware attacks by a supposed Ransomware-as-a-Service organization consisting of various actors using multiple mechanisms to compromise business networks, exfiltrate data and encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption software.
Hive, which operates as an affiliate-based ransomware operation “uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network,” the alert states.
“After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, HiveLeaks,” the alert notes.
Upon successful file encryption, the files are saved using a .hive extension. The Hive operators then drop a hive.bat script into the directory, which enforces an execution timeout delay of one second to perform clean-up after the encryption is finished by deleting the Hive executable and the hive.bat script, the alert notes.
“A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim and then deletes the shadow.bat file. During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*,” the alert notes.
Later, a ransom note, ““HOW_TO_DECRYPT.txt” is dropped into the affected directory and states the *key.* file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered.
“The note contains a “sales department” link, accessible through a TOR browser, enabling victims to contact the actors through live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files,” the agency notes.
The alert states that the initial deadline for payment fluctuates between 2 to 6 days, but it varies.
The Rise of Hive
The emergence of Hive was first reported on June 26 by the self-described South Korea-based “ransomware hunter” behind the @fbgwls245 Twitter account, who spotted the malicious executable after it was uploaded to the VirusTotal malware-scanning service the prior day.
— dnwls0719 (@fbgwls245) June 26, 2021
Security firm McAfee says that based on its telemetry, the regions so far most hit by Hive affiliates are Belgium and Italy, followed by India, Spain and the United States.
One apparent victim of Hive is the Memorial Health System in Ohio, Bleeping Computer reported earlier this week, based on “evidence” it says it has seen. (Also see: Ransomware: LockBit 2.0 Borrows Ryuk and Egregor’s Tricks)
Written in the Go language, operators behind Hive have been seen targeting both 32-bit and 64-bit versions of Windows.
“After compiling the samples, a packer – UPX – is used to obscure the code and make generic detection based on strings more difficult,” McAfee says. “File sizes for Go language binaries can be very large; using UPX will make the file-size smaller.”
Roger Grimes, data driven defense evangelist at KnowBe4, says he is happy anytime an organization publishes more details on any malicious compromise event or gang.
“I’d give them kudos for all the great information they are sharing. Really, the only ding I would give them is in their recommended mitigations. None of them include end user training to fight social engineering. Social engineering is the number one way that ransomware, and all hackers and malware compromise environments,” Grimes states.
Rosa Smothers, former CIA cyber threat analyst and technical intelligence officer, concurs saying it is an unfortunate but typical case of poor security awareness training and security culture.
“It isn’t necessarily the operating system – because there will always be vulnerabilities – but the lack of malware prevention, due to a lack of training for users on how to spot phishing links and not to open unvetted attachments;” Smothers is also SVP at KnowBe4.
The alert recommends backing-up of critical data offline, ensuring copies of critical data are in the cloud or on an external hard drive or storage device, with use of two-factor authentication and strong passwords, including for remote access services.
Other recommendation include monitoring cyber threat reporting regarding the publication of compromised VPN login; credentials and change passwords/settings if applicable; keeping computers, devices, and applications patched and up-to-date and installing and regularly updating anti-virus or anti-malware software on all hosts.
RagnarLocker Quits, Releases Decryptor
In a separate ransomware development another massive ransomware gang, Ragnarok, appears to have called it quits, as it has released the master key that can decrypt files that it has encrypted. Security firm Emsisoft on Friday confirmed that the gang has released its master key.
— Emsisoft (@emsisoft) August 26, 2021
RagnarLocker, which is also known as Ragnarok, has been active since December 2019. It’s known to target Microsoft Windows devices by using stolen credentials to target vulnerable Remote Desktop Protocol connections. The attacks also use malicious versions of Cobalt Strike (see: RagnarLocker Deploys a Virtual Machine to Hide Ransomware)
RagnarLocker has been linked to other high-profile security incidents over the last several months, including attacks targeting Energias de Portugal, or EDP, an energy company; Campari, an Italian liquor company; and Capcom, a Japanese gaming firm (see: Gaming Company Confirms RagnarLocker Ransomware Attack).
RagnarLocker is one of several ransomware variants used to not only encrypt files of victims but also to exfiltrate data. Once this information is stolen, cybercriminals threaten to release the information as a way to make victims pay a ransom. Earlier his month, the RagnarLocker gang hacked into a Facebook account and posted an advert about the Campari attack to pressure that company into paying (see: Ransomware Gang Devises Innovative Extortion Tactic).