The Hive Group has been the subject of our security reports before, due to its prominence in the cyber world. We bring back the topic on this ransomware, which now has a high possibility of correlation with Nokoyawa due to sharing some similarities in their attack chains, from the tools used to the order in which they perform various steps.

Read more security reports like this one on Twitter from our threat intel team. Visit and follow twitter.com/heimdallish

The Hive ransomware, was first observed in June 2021 and likely operates as an affiliate-based ransomware, using a wide variety of Tactics, Techniques and Procedures (TTPs), and is a challenge for defense and mitigation.

Several vectors of compromise are used, including phishing with malicious attachments and remote desktop(RDP) to move laterally in the network. Once network access has been established, Hive looks for processes related to backups, antivirus/antispyware, and file copying to terminate them and thereby facilitate encryption of files, which usually end with the *.key.hive or *.key.* extension.

Some of the indicators shared by Nokoyawa and Hive include the use of Cobalt Strike, as well as the use of legitimate tools such as anti-rootkit scanners GMER and PC Hunter for defense evasion. Other steps, such as information gathering and lateral deployment, are also similar.

Hive, on its dark web page - HiveLeaks, records at least 70 victims so far. Using double extortion, they demand money for the recovery of the encrypted files, and threaten to leak the victim's exfiltrated data if payment is not made.

MITRE ATT&CK

When analyzing the file xxx.exe file related to Hive, at least three TTPs used for the attack are identified:

TTP	ID	TACTIC
System Information Discovery	T1082	Discovery
Remote Services: Remote Desktop Protocol	T1021.001	Lateral Movement
Obfuscated Files or Information: Software Packing	T1027.002	Defense Evasion

System Information Discovery

Obtaining detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Such information can be used to shape subsequent behavior, including whether or not the adversary will fully infect the target and/or attempt specific actions.

Remote Services: Remote Desktop Protocol

Attackers can use valid accounts to log into a computer using Remote Desktop Protocol (RDP) and then perform actions with the logged-on user's privileges.

The remote desktop is a common feature in operating systems and allows a user to log into a remote system. Previously leaked credentials are used in these access attempts.

Obfuscated Files or Information: Software Packing

Technique used to hide malicious code. Software bundling is a method of compressing or encrypting an executable. Compacting an executable alters the signature of the file in an attempt to avoid signature-based detection.

IOCS

Some Indicators of Compromise are listed below, in order to assist in the detection of these possible threats.

Onion Link: hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion

Some file sharing sites can be used, such as:

• https://anonfiles.com
• https://mega.nz
• https://send.exploit.in
• https://ufile.io
• https://www.sendspace.com

Some of the following indicators may be from legitimate applications, however, these applications can be used by threat actors during attacks. It is recommended to remove any application not deemed necessary for day-to-day operations.

Winlo.exe
MD5	b5045d802394f4560280a7404af69263
SHA256	321d0c4f1bbb44c53cd02186107a18b7a44c840a9a5f0a78bdac06868136b72c
Directory	C:\Windows\SysWOW64\winlo.exe
Description	Deliver 7zG.exe

7zG.exe
MD5	04FB3AE7F05C8BC333125972BA907398
Description	This is a legitimate 7zip, version 19.0.0; it delivers Winlo_dump_64_SCY.exe

Winlo_dump_64_SCY.exe
MD5	BEE9BA70F36FF250B31A6FDF7FA8AFEB
Description	Responsible for encrypting files with the *.key.* extension; delivers the HOW_TO_DECRYPT.txt

HOW_TO_DECRYPT.txt

Description

Stops and disables Windows Defender; Deletes all Windows Defender settings; Removes the Windows Defender context menu; Stops the following services and disables their restart: - LanmanWorkstation - SamSs - SDRSVC - SstpSVc - UI0Detect - Vmicvss - Vmss - VSS - Wbengine - Unistoresvc Attempts to delete volume shadow copies(vssadmin and wmic); Deletes Logs Windows Event Logs: System, Security, Application and PowerShell; Use notepad ++ to create the key file; Change startup to ignore errors and not attempt system recovery; Deliver the PowerShell script.

Other IoCs

*.key.hive *.key.hive HOW_TO_DECRYPT.txt hive.bat shadow.bat vssadmin.exe delete shadows /all /quiet wmic.exe SHADOWCOPY /nointeractive wmic.exe shadowcopy delete wevtutil.exe cl system wevtutil.exe cl security wevtutil.exe cl application bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no Glary Utilities 5 xxx.exe 75.exe 3.exe adf.bat Microsoft Toolkit Re-Loader By R@1n a42_96.exe_.sa Get-DataInfo.ps1 ss64.dll VeeamUpdate.exe

Hashes

9C1F3E66B8884F0456946D1D4A9A0498CEEE243B9236E46B89EBFA965AF20CD1 897DF847C4B18F94586CA774DCFC388F65B4AEEADA7BE4287C519A32EB8FA2FE 8B8814921DC2B2CB6EA3CFC7295803C72088092418527C09B680332C92C33F1F 59453328A70BAB61A63341C16A6A165B5DF9831D56AC1BF9DA6B847C0B8E949C 00FF9536BFEFF1148165F8258C9843FC08BCFA2A5EB1E24370FB0F4A9C44FAC7 F6A377BA145A5503B5EB942D17645502EDDF3A619D26A7B60DF80A345917AAA2 5823C96C448770EF030B20F0EAD8A2562664682BBF1BB3B101D9D2107C14D083 391C989D2103DD488D9D4C2C8E1776BC6264F613656BB5BEBCD7722DB22160E7 8942A30C730323A16F67F25BC9125ADFEABFCB9BF737A8F4C22D1038EBB22FB0 A290CE75C6C6B37AF077B72DC9C2C347A2EEDE4FAFA6551387FA8469539409C7 C170717A69847BB7B050832C55FCD2A214E9180C8CDE5F86088BD4E5266E2FD9 E551275AA089805C48EC1734D3D4ECD03997663E58892323BF174F0B7EB52504 a70729b3241154d81f2fff506e5434be0a0c381354a84317958327970a125507 2ef9a4f7d054b570ea6d6ae704602b57e27dee15f47c53decb16f1ed0d949187 e097cde0f76df948f039584045acfa6bd7ef863141560815d12c3c6e6452dce4

CONCLUSION

Despite being relatively new threats, they have been causing great damage to companies worldwide. Such ransomware families have already affected Brazilian organizations and should be on the radar for possible detection. Therefore, the use of the IoCs presented is recommended, as well as the implementation of the recommendations listed below.

RECOMMENDATIONS

Keep encrypted, offline data backups and test them frequently. Backup procedures should be performed regularly. It is important that they are kept offline, as many ransomware variants try to locate and delete or encrypt accessible backups.

2. Create, maintain and execute a basic cyber incident response plan, a recovery plan and an associated communications plan.

• The cyber incident response plan should include response and notification procedures for ransomware incidents. We recommend the CISA and Multi-State Information and Sharing Center (MS-ISAC) Joint Ransomware Guide for more details on creating a cyber incident response plan.
• The recovery plan should address how to operate if you lose access to or control of critical functions. CISA offers no-cost, non-technical cyber resilience assessments to help organisations assess their operational resilience and cyber security practices.

3. Mitigate vulnerabilities and misconfigurations of Internet-facing services to reduce the risk of actors exploiting this attack surface:

a. Employ best practices for using Remote Desktop Protocol (RDP) and other remote desktop services. Threat actors often gain initial access to a network through exposed and poorly secured remote services and later propagate the ransomware.

Audit the network for systems using RDP, close unused RDP ports, apply account locks after a specified number of attempts, apply multi-factor authentication (MFA), and log RDP login attempts.

b. Perform regular vulnerability scans to identify and resolve vulnerabilities, especially those in Internet-facing devices. CISA offers a variety of free cyber hygiene services, including vulnerability scanning, to help critical infrastructure organizations assess, identify, and reduce their exposure to cyber threats such as ransomware. By taking advantage of these services, organizations of any size will receive recommendations on ways to reduce their risk and mitigate attack vectors.

c. Update software, including operating systems, applications, and firmware, in a timely manner. Prioritize timely remediation of critical vulnerabilities and vulnerabilities in Internet-facing servers - as well as Internet data processing software, web browsers, browser plug-ins, and document readers. If rapid remediation is not feasible, implement vendor-provided mitigations.

d. Make sure that the devices are configured correctly and security features are enabled; for example, disable ports and protocols that are not being used for a business purpose.

e. Disable or block the incoming and outgoingServer Message Block (SMB) protocol and remove or disable outdated SMB versions.

4. Reduce the risk of phishing e-mails reaching end users:

a. Enabling spam filters.

b. Implementing a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity (e.g., phishing) or incidents.

5. Use the best available cybersecurity practices:

a. Ensure that all anti-virus, anti-malware and signature software is up-to-date.

b. Implementapplication allowlisting.

c. Ensure that user accounts and privileges are limited through account usage policies, user account control, and privileged account management.

d. Employ MFA for as many services as possible, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.

REFERENCES

1. Mitre Att&ck
2. ic3.gov
3. Trendmicro
4. Checkpoint
5. CISA
6. FBI
7. Crowdstrike