hive-threat-ransomware

Analysis

On 17th November 2022, Cybersecurity and Infrastructure Security Agency (CISA) published a blog on the Hive threat ransomware group targeting more than 1300 companies that acquired 100 million USD approximately from its victims since June 2021.

The threat group gains initial access through three methods by phishing, exploiting public-facing applications, and external remote services. After gaining initial access they execute a script to stop the volume shadow copy services, then the threat actors start to delete the windows event, system, security and application logs. After removal of logs they start to disable antivirus by modifying the registry and terminates certain processes to facilitate file encryption.

Finally, the threat group performs exfiltration of victim data by transferring it to a cloud account, after the exfiltration the actor deploys a ransom note and encrypts the files.

Prevention

  • Use Antivirus or EDR in all endpoints.
  • Take regular backups of end devices to reduce the impact of any kind of ransomware attacks.
  • Patch the vulnerabilities regularly associated with the Software and Hardware in the infrastructure.

Detection

Create rules based on known indicators of ransomware in the SIEM (Security incident event management) tool for the detection of ransomware.

MITRE ATT&CK® Techniques

Technique ID Technique Name
T1133 External Remote Services
T1190  Exploit Public-Facing Application
T1566.001 Phishing
T1059  Command and Scripting Interpreter
T1070  Indicator Removal on Host
T1112  Modify Registry
T1562  Impair Defences
T1537  Transfer Data to Cloud Account
T1486  Data Encrypted for Impact
T1490  Impair Defenses: Disable or Modify Tools

 

Indicators of Compromise (IOCs)

Files
HOW_TO_DECRYPT.txt typically in directories with encrypted files
*.key typically in the root directory, i.e., C:\ or /root
hive.bat
shadow.bat
asq.r77vh0[.]pw - Server hosted malicious HTA file
asq.d6shiiwz[.]pw - Server referenced in malicious regsvr32 execution
asq.swhw71un[.]pw - Server hosted malicious HTA file
asd.s7610rir[.]pw - Server hosted malicious HTA file
Windows_x64_encrypt.dll
Windows_x64_encrypt.exe
Windows_x32_encrypt.dll
Windows_x32_encrypt.exe
Linux_encrypt
Esxi_encrypt
Events
System, Security and Application Windows event logs wiped
Microsoft Windows Defender AntiSpyware Protection disabled
Microsoft Windows Defender AntiVirus Protection disabled
Volume shadow copies deleted
Normal boot process prevented
Logged Processes
wevtutil.exe cl system
wevtutil.exe cl security
wevtutil.exe cl application
vssadmin.exe delete shadows /all /quiet
wmic.exe SHADOWCOPY /nointeractive
wmic.exe shadowcopy delete
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no

 

IP Addresses used for Compromise or Exfil:

84.32.188[.]57 84.32.188[.]238
93.115.26[.]251 185.8.105[.]67
181.231.81[.]239 185.8.105[.]112
186.111.136[.]37 192.53.123[.]202
158.69.36[.]149  46.166.161[.]123
108.62.118[.]190 46.166.161[.]93
185.247.71[.]106 46.166.162[.]125
5.61.37[.]207 46.166.162[.]96
185.8.105[.]103 46.166.169[.]34
5.199.162[.]220  93.115.25[.]139
5.199.162[.]229 93.115.27[.]148
89.147.109[.]208 83.97.20[.]81
5.61.37[.]207 5.199.162[.]220
5.199.162[.]229; 46.166.161[.]93
46.166.161[.]123; 46.166.162[.]96
46.166.162[.]125 46.166.169[.]34
83.97.20[.]81 84.32.188[.]238
84.32.188[.]57  89.147.109[.]208
93.115.25[.]139; 93.115.26[.]251
93.115.27[.]148 108.62.118[.]190
158.69.36[.]149/span> 181.231.81[.]239
185.8.105[.]67 185.8.105[.]103
185.8.105[.]112 185.247.71[.]106
186.111.136[.]37 192.53.123[.]202

 

References

CISA.gov

 

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at susan@positka.com.