Analysis
On 17th November 2022, Cybersecurity and Infrastructure Security Agency (CISA) published a blog on the Hive threat ransomware group targeting more than 1300 companies that acquired 100 million USD approximately from its victims since June 2021.
The threat group gains initial access through three methods by phishing, exploiting public-facing applications, and external remote services. After gaining initial access they execute a script to stop the volume shadow copy services, then the threat actors start to delete the windows event, system, security and application logs. After removal of logs they start to disable antivirus by modifying the registry and terminates certain processes to facilitate file encryption.
Finally, the threat group performs exfiltration of victim data by transferring it to a cloud account, after the exfiltration the actor deploys a ransom note and encrypts the files.
Prevention
- Use Antivirus or EDR in all endpoints.
- Take regular backups of end devices to reduce the impact of any kind of ransomware attacks.
- Patch the vulnerabilities regularly associated with the Software and Hardware in the infrastructure.
Detection
Create rules based on known indicators of ransomware in the SIEM (Security incident event management) tool for the detection of ransomware.
MITRE ATT&CK® Techniques
| Technique ID | Technique Name |
| T1133 | External Remote Services |
| T1190 | Exploit Public-Facing Application |
| T1566.001 | Phishing |
| T1059 | Command and Scripting Interpreter |
| T1070 | Indicator Removal on Host |
| T1112 | Modify Registry |
| T1562 | Impair Defences |
| T1537 | Transfer Data to Cloud Account |
| T1486 | Data Encrypted for Impact |
| T1490 | Impair Defenses: Disable or Modify Tools |
Indicators of Compromise (IOCs)
| Files |
| HOW_TO_DECRYPT.txt typically in directories with encrypted files |
| *.key typically in the root directory, i.e., C:\ or /root |
| hive.bat |
| shadow.bat |
| asq.r77vh0[.]pw - Server hosted malicious HTA file |
| asq.d6shiiwz[.]pw - Server referenced in malicious regsvr32 execution |
| asq.swhw71un[.]pw - Server hosted malicious HTA file |
| asd.s7610rir[.]pw - Server hosted malicious HTA file |
| Windows_x64_encrypt.dll |
| Windows_x64_encrypt.exe |
| Windows_x32_encrypt.dll |
| Windows_x32_encrypt.exe |
| Linux_encrypt |
| Esxi_encrypt |
| Events |
| System, Security and Application Windows event logs wiped |
| Microsoft Windows Defender AntiSpyware Protection disabled |
| Microsoft Windows Defender AntiVirus Protection disabled |
| Volume shadow copies deleted |
| Normal boot process prevented |
| Logged Processes |
| wevtutil.exe cl system |
| wevtutil.exe cl security |
| wevtutil.exe cl application |
| vssadmin.exe delete shadows /all /quiet |
| wmic.exe SHADOWCOPY /nointeractive |
| wmic.exe shadowcopy delete |
| bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
| bcdedit.exe /set {default} recoveryenabled no |
IP Addresses used for Compromise or Exfil:
| 84.32.188[.]57 | 84.32.188[.]238 |
| 93.115.26[.]251 | 185.8.105[.]67 |
| 181.231.81[.]239 | 185.8.105[.]112 |
| 186.111.136[.]37 | 192.53.123[.]202 |
| 158.69.36[.]149 | 46.166.161[.]123 |
| 108.62.118[.]190 | 46.166.161[.]93 |
| 185.247.71[.]106 | 46.166.162[.]125 |
| 5.61.37[.]207 | 46.166.162[.]96 |
| 185.8.105[.]103 | 46.166.169[.]34 |
| 5.199.162[.]220 | 93.115.25[.]139 |
| 5.199.162[.]229 | 93.115.27[.]148 |
| 89.147.109[.]208 | 83.97.20[.]81 |
| 5.61.37[.]207 | 5.199.162[.]220 |
| 5.199.162[.]229; | 46.166.161[.]93 |
| 46.166.161[.]123; | 46.166.162[.]96 |
| 46.166.162[.]125 | 46.166.169[.]34 |
| 83.97.20[.]81 | 84.32.188[.]238 |
| 84.32.188[.]57 | 89.147.109[.]208 |
| 93.115.25[.]139; | 93.115.26[.]251 |
| 93.115.27[.]148 | 108.62.118[.]190 |
| 158.69.36[.]149/span> | 181.231.81[.]239 |
| 185.8.105[.]67 | 185.8.105[.]103 |
| 185.8.105[.]112 | 185.247.71[.]106 |
| 186.111.136[.]37 | 192.53.123[.]202 |
References
CISA.gov
