One of the most prolific ransomware groups to affect healthcare facilities, nonprofits, retailers, energy providers, and other sectors, with a total of more than 1,300 institutions hit by the ransomware group worldwide and a profit of $100 million in ransom payments, Hive Ransomware has been ruling the roost since June 2021. Read on to find out what Securin experts uncovered when they revisited HIVE and their attack tactics and techniques, and what organizations can do to remain safe from future attacks.
Since they burst into the limelight in June 2021 with an attack on Europe’s largest consumer electronics retailer, MediaMarkt, HIVE ransomware has targeted a wide range of businesses – more than 1300 – including government facilities, critical manufacturing, information technology, telecommunications providers and healthcare and public health sectors.
The HIVE ransomware gang’s aggressive activities bumped the group into the big league of the most dangerous ransomware groups, with a daily average of three companies being targeted since June 2021. Within the span of four months between August and November 2021, HIVE ransomware had infiltrated more than 350 organizations worldwide.
In This Blog:
Deconstructing HIVE Ransomware’s Honeycomb
-
HIVE Ransomware Cheat Sheet
Vulnerability Information + infographics
Securin’s Predictive Insights on HIVE vulnerabilities
History of Attacks by HIVE Ransomware
Interesting Trends
Can my Scanners Detect It?
-
HIVE Attack Methodology
MITRE ATT&CK Map
IOCs
What can organizations do to prevent a HIVE Ransomware attack?
Deconstructing HIVE Ransomware’s Honeycomb
Securin cybersecurity analysts first observed HIVE ransomware, an affiliate-based ransomware variant used by cyber attackers, in June 2021. The Hive ransomware-as-a-service operation is built around a team of developers who create and manage the malware, and affiliates who carry out attacks on target networks by purchasing domains from initial access brokers.
The HIVE operators carry out a standard double-extortion ransomware attack on its targets, where cybercriminals steal sensitive files, encrypt systems, and then threaten to publish the victim’s data unless a ransom is paid.
Figure 1: Screenshot of HIVE ransomware’s leak page for their latest attack on CHC in January 2023
HIVE Ransomware Cheat Sheet
Securin experts observed that HIVE ransomware gains access to a network and then spreads laterally through it while continuing to steal unencrypted files. They deploy their ransomware to encrypt all devices when they eventually gain admin access on a Windows domain controller. The HIVE group then seeks out and deletes backups in order to prevent victims from recovering their data.
Here is a detailed analysis of the vulnerabilities exploited by HIVE ransomware in their attacks. Our experts also used Securin’s Vulnerability Intelligence platform for predictive analysis to identify the vulnerabilities and how likely they are to be exploited in future attacks. Securin’s Vulnerability Risk Score (VRS) tries to fill the gaps created by CVSS v2 and v3 scores, by arriving at a consistent scoring methodology which analysts can use directly for faster prioritization.
Let us take a deeper insight into the vulnerabilities associated with Hive:
CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Vulnerability - 13 Ransomware / 7 APT - CISA KEV, Trending
This CVE was initially published on May 11, 2021, soon after which, on October 2, 2021, Securin’s Vulnerability Intelligence platform tagged it as extremely critical and assigned it the highest predictive score of 38.46. The DHS CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on November 3, 2021, after it was found to be exploited in the wild. The vulnerability remained in trend, and has been actively trending in the last week or two.
Figure 2: Securin’s VI platform tagged CVE-2021-31207 as extremely critical and assigned it the highest predictive score of 38.46.
CVE-2021-31207 has an initial CVSS v2 score of just 6.50 and is tagged as a medium severity vulnerability, in spite of being in the CISA KEV catalog and having been exploited by 12 ransomware families and eight APT groups. Considering the exploitation impact of this vulnerability, Securin VRS scores it at 9.06, marking it as a critical-severity vulnerability to watch out for.
CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability - 12 Ransomware / 8 APT - CISA KEV, Trending
This CVE was initially published on July 13, 2021, after which, on October 2, 2021, Securin’s Vulnerability Intelligence platform tagged it as extremely critical and assigned it the highest predictive score of 38.46. The DHS CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on November 3, 2021, a month after it was found to be exploited in the wild. The vulnerability remained in trend, and has been actively trending in the last week or two.
Figure 3: Securin’s VI platform tagged CVE-2021-34473 as extremely critical and assigned it the highest predictive score of 38.46
CVE-2021-34473 has an initial CVSS v2 score of 10.0 but its criticality is brought down slightly to 9.80 in the CVSS v3 score. The vulnerability has been exploited by 12 ransomware families and eight APT groups, as a result of which, the exploitation impact of the vulnerability garners it a VRS score of 9.96.
CVE-2021-34523 - Microsoft Exchange Server Privilege Escalation Vulnerability - 12 Ransomware / 8 APT - CISA KEV, Trending
This CVE was initially published on July 13, 2021, after which Securin’s Vulnerability Intelligence platform tagged it as extremely critical and assigned it the highest predictive score of 38.46 on July 19, 2021. The DHS CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on November 3, 2021, a little under a month after it was found to be exploited in the wild. The vulnerability has been trending actively ever since.
Fig 4: Securin’s VI platform tagged CVE-2021-34523 as extremely critical and assigned it the highest predictive score of 38.46
CVE-2021-34523 has an initial CVSS v2 score of just 7.50, tagging it as a medium-severity vulnerability, and subsequently the CVSS v3 score was increased to 9.80 post exploitation. This vulnerability too has been exploited by 12 ransomware families and eight APT groups, thereby garnering a VRS score of 9.96, emphasizing the criticality of the vulnerability.
CVE-2021-42321 - Microsoft Exchange Server Remote Code Execution Vulnerability - 1 Ransomware / 1 APT - CISA KEV, Trending
This CVE was initially published on November 9, 2021. The first exploits were found on November 17, following which, the DHS CISA added the vulnerability to the KEV catalog. Securin’s Vulnerability Intelligence platform tagged it as extremely critical and assigned it the highest predictive score of 38.46 on November 30, 2021.
Fig 5: Securin’s VI platform tagged CVE-2021-42321 as extremely critical and assigned it the highest predictive score of 38.46
CVE-2021-42321 had an initial CVSS v2 score of a meager 6.50, marking it as a medium-severity vulnerability. Since the vulnerability has been chained with the ProxyShell vulnerabilities, the vulnerability has a high exploitation impact, resulting in the Securin VRS score of 9.58.
CVE-2020-12812 - An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below. o- 2 Ransomware / 0 APT - KEV, Trending
This CVE was initially published on July 24, 2020. In early August 2021, the first active exploits were observed by our experts, soon after which Securin’s Vulnerability Intelligence platform tagged it as critical and assigned it the highest predictive score of 38.46 on August 04, 2020. The DHS CISA added the vulnerability to the Known Exploited Vulnerabilities catalog only on November 3, 2021, approximately fifteen months after our VI platform had recognized the likelihood of future exploits using this vulnerability.
Fig 5: Securin’s VI platform tagged CVE-2020-12812 as extremely critical and assigned it the highest predictive score of 38.46
CVE-2020-12812 has an initial CVSS v2 score of 7.50 and was upgraded to a CVSS v3 score of 9.8 later after active exploits were found. Securin’s VI platform however assigned it a lower score of 8.80 because in spite of being exploited in the wild, we do not have sufficient information to suggest if this improper authentication vulnerability can be accessed remotely by a threat actor, or can lead to privilege escalation.
CVE-2021-33558 - Boa Web Server version 0.94.13 - 1 Ransomware / 1 APT - Trending
This CVE was initially published in May 2021. It was not until November 23, 2021, that Hive ransomware exploited the Boa server vulnerability to target energy grids in India.
Securin experts feel this vulnerability should be added to the DHS CISA’s Known Exploited Vulnerabilities catalog.
Fig 6: Securin’s VI platform assigned CVE-2021-33558 a score of 8.56
CVE-2021-33558 had an initial CVSS v2 score of just 5.00 and was upgraded to a CVSS v3 score of 7.50 after it was exploited. Although sufficient information is not available for the vulnerability, Securin’s VI platform assigned it a score of 8.56, since it was actively exploited by Hive ransomware and RedEcho APT.
This vulnerability, though trending since 2021, is not detectable by any of the popular cybersecurity scanners – Nessus, Nexpose and Qualys – that organizations depend on so greatly to keep their attack surface secure.
CVE-2017-9833 - Boa Web Server version 0.94.14rc21 - 1 Ransomware / 1 APT - Trending
This CVE was first exploited in June 2017, following which, it was published on June 24, 2017. According to Securin’s Vulnerability Intelligence platform, the VRS scores reached the maximum score of 38.46 in May 2020. However, in spite of its likelihood of being used in attacks by threat actors, DHS CISA still has not added the vulnerability to its catalog.
Fig 7: Securin’s VI platform tagged CVE-2017-9833 as extremely critical and assigned the highest predictive score of 38.46
CVE-2017-9833 had an initial CVSS v2 score of 7.80 but was demoted to a CVSS v3 score of 7.50. However, since the vulnerability has been exploited actively by Hive ransomware and RedEcho APT, many years after it was discovered, our Securin VI platform has assigned it a VRS score of 9.23.
History of HIVE Ransomware Attacks
The end of 2022 saw an influx of ransomware attacks reported targeting the education sector. Approximately five of the 24 ransomware attacks that were disclosed and confirmed in November and December 2022, were against K-12 schools and universities.
The Hive ransomware group, invariably, claimed responsibility for a couple of attacks, by leaking the date on their public leak site.
Note: The list of attacks carried out by HIVE can be found at the end of the article.
Interesting Trends
Customer Service:
The HIVE ransomware gang allows its victims to contact a sales representative in their operation through a ‘customer service’ link provided at the time of encryption. This connects the victim directly to a live chat with a HIVE executive who then tries to negotiate a ransom amount.
Fig 8: Screengrab of Victims Chats with HIVE negotiators
Leveraging victim chats for insights:
Before Hive decides upon a ransom amount, they do an in-depth research on the victim organizations and generally ask for about 1 percent of the company’s annual revenue. Though they target companies indiscriminately, they most probably base their assessments on how easily they can compromise the victim for quick financial gains.
The communications employed by HIVE are shorter and direct, but are quick to lower ransom demands, offering substantial reductions several times through their negotiations.
Fig 9: How Hive leverages on chats with victim to gain insights
Hive ransomware creates Linux and FreeBSD server variants:
Hive ransomware devised a variant of their ransomware that can encrypt Linux and FreeBSD servers. Although quite buggy, according to our experts, it comes with support for a single command line parameter (-no-wipe). The Linux version of the ransomware fails to encrypt files unless executed without root privileges. In contrast, the Windows ransomware variant comes with five execution options.
Hive ransomware ports its Linux VMware ESXi encryptor to Rust:
In March 2022, the Hive ransomware gang added new features to their VMware ESXi Linux encryptor and also converted it to the Rust programming language in order to make it harder for security researchers to spy on a victim’s ransom negotiations.
The Conti-Hive link:
With Conti shutting its operations in May 2022, its members splintered into smaller groups that it partnered with groups, such as Hive, HelloKitty, AvosLocker, BlackCat, and BlackByte among others. Some Conti members also joined the Hive ransomware ranks and began leaking victim data on both the Conti and Hive leak sites.
New ‘IPfuscation’ trick to hide payload:
The Hive ransomware operators developed an obfuscation technique involving IPv4 addresses and a set of conversions that lead to Cobalt Strike beacons being downloaded. Our analysts discovered that the payload itself was obscured by taking the form of an ASCII IPv4 array, which could have easily been mistaken for hard-coded C2 communications.
Hive Ransomware Attack Methodology
-
Initial Access Techniques:
Hive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols.
Exploit Public-Facing Application – Hive actors gain access to victim networks by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021- 34473, CVE-2021-34523, CVE-2021- 31207, CVE-2021-42321. They may also use the newly discovered Boa vulnerability, CVE-2021-33558.
Phishing – Hive actors gain access to victim networks by distributing phishing emails with malicious attachments.
-
Execution:
Use Command and Scripting Interpreter – Hive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or PowerShell.
-
Defense Evasion:
Use Indicator Removal on Host – Hive actors delete Windows event logs, specifically, the System, Security and Application logs.
Modify Registry – Hive actors set registry values for DisableAntiSpyware and DisableAntiVirus to 1.
Impair Defenses – Hive actors seek processes related to backups, antivirus/anti-spyware, and file copying and terminates those processes to facilitate file encryption.
-
Exfiltration:
Use Transfer Data to Cloud Account – Hive actors exfiltrate data from victims, using a possible combination of Rclone and the cloud storage service Mega.nz.
-
Impact:
Use Data Encrypted for Impact – Hive actors deploy a ransom note into each affected directory which states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered.
Inhibit System Recovery – Hive actors look to stop the volume shadow copy services and remove all existing shadow copies via vssadmin via command line or PowerShell.
HIVE Ransomware MITRE ATT&CK Map
Since Hive ransomware has been affecting the education and healthcare sectors since 2021, many more individuals are at risk of data theft, making it imperative that cyber security measures are taken to limit the effects of ransomware attacks on institutions and organizations.
K-12 schools have seen a meteoric rise in ransoms paid, with an estimated $3.5 billion in 2022, with the graph steadily rising due to ineffective attack surface management on the enterprise and local levels.
Securin’s Ransomware Spotlight Report 2023, highlights a continuing 19% rise in vulnerabilities associated with ransomware in 2022. A total of 344 vulnerabilities have been leveraged by ransomware groups thus far, of which 156 of the vulnerabilities are yet to be added to CISA’s KEV catalog. About 180 vulnerabilities have been actively searched as a point of interest by hackers and malicious actors such as HIVE, therefore, making it imperative for organizations today, especially K-12 schools and other vulnerable critical entities, to require a robust Attack Surface Management solution to see their ransomware exposure, prioritize their patching cadence and secure their network.
Here is a list of significant attacks carried out by HIVE ransomware between June 2021 and January 2023:
Targets |
Month |
Impact of the Attack |
January 2023 |
All customer information and hospital documentation leaked; 550GB |
|
January 2023 |
Two hospitals, 20 polyclinics, 23 physiotherapy clinics, and 16 dental clinics were affected in the region. All PII leaked. |
|
November to December 2022 |
data breach affecting almost 270,000 people |
|
November 2022 |
A district with 24 schools and more than 14,000 students hit. Led to discontinuation of use and shutdown of NPS-issued devices. |
|
October 2022 |
Tata Power employees’ personally identifiable information (PII), National ID (Aadhar) card numbers, PAN (tax account) numbers, salary information, etc. was stolen. Additionally, the data dump contained engineering drawings, financial and banking records as well as client information. |
|
September 2022 |
files contained patient names, dates of service, insurance information, and in some instances, Social Security numbers |
|
August – September 2022 |
$2 million ransom demanded; sales network stopped operating normally thereby impacting 92 of its stores |
|
August 2022 |
£500,000 ransom demanded, PII exfiltrated |
|
August 2022 |
PII exfiltrated |
|
June 2022 |
1.4 TB files exfiltrated, extensive IT outage |
|
June 2022 |
internal information about the entity including passwords for important accounts, but it has also leaked personal and financial information on doctors, and information on named patients that include their diagnoses and procedures, with some insurance information. |
|
Costa Rica’s public health service (known as Costa Rican Social Security Fund or CCCS) |
June 2022 |
Major IT outage |
March 2022 |
Hive exfiltrated 850,000 unique records with name, Social Security Number, date of birth, address, contact information, and more; 400 GB of stolen files were encrypted |
|
August 2021 |
The attack caused disruptions of clinical and financial operations, causing urgent surgical cases and radiology exams, surgeries postponed, etc |
How We Can Help
Securin’s Attack Surface Management platform provides you with a hacker’s view of your attack surface, enabling you to see exposures, misconfigurations, shadow IT, and vulnerable products that have ransomware vulnerabilities. Gain visibility into your true attack surface, improve your security posture, and expedite remediation before an attack.