# On the FootSteps of Hive Ransomware **yoroi.company/research/on-the-footsteps-of-hive-ransomware/** 07/26/2022 ## Introduction July 26, 2022 Hive ransomware is one of the most active financially motivated threat actors of this period, adopting the current Double Extorsion model. They started their malicious activities in June of the past year, and just in a year of activity they collected a big number of victims, demonstrating the capability to hit even critical infrastructures. The criminal group distinguished from other ones also for attacking healthcare organization during the 2021 when we had to face off the Covid[19 pandemic. It was emblematic that one of the first victims was the Memorial Health System in August 2021.](https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/) For these reasons, Yoroi’s Malware ZLab decided to keep track of this infamous threat actor and observe any modification of its modus operandi, in order to provide a guideline focusing on the evolution of the locker sample of the cyber gang. ## About Hive Hive (TH-313) is a Ransomware group firstly spotted in June 2021 and it gathered a big popularity inside the cybersecurity community because it was able to attack a large variety of sectors, starting from healthcare facilities and arriving to critical infrastructures, passing through manufacturers during just a year of activity. In addition, the group was able to refine its toolkit and then its TTPs with a surprising speed: the business model is the Double-Extorsion and Ransomware-as-a-Service, with a self-made ransomware payload. ----- Figure 1: Hive (TH-313) So, in this report we have decided to focus our attention on the ransomware payload evolution, providing a timeline of the development of Hive Ransomware Payloads. ## Timeline of the development of Hive Ransomware Inside the criminal group, there is surely a high-profile development team, with deep knowledge of programming in both newer and older programming languages. The first versions of the encryptor payload are written in Golang, then, starting from the v5 version, the dev team of Hive switched into Rust. Figure 2: Leak Site In the following timeline, we provide a quick overview of the evolution of the malware and how the cyber gang adopted an incremental development process on its TTPs: ----- Figure 3: Hive Timeline In the same way, even the Ransom Note changed during the evolution: first, the credentials were hardcoded inside the sample, but now the operators pass them as a parameter when the locker process is launched. Below a comparison between an earlier version and a later one: Figure 4: Ransom note comparison ## Victimology During its activity, Hive Group hit a large number of victims and during that period some of them paid the ransom, after that the victims were removed from the “walk of shame”. We tracked a total of 130 victims listed on their leak site, the affected companies belong to different sectors and nations. However, we have evidence that occasionally some victims of the group, despite being attacked by the threat actor, are never reported onto the site. ----- o eo e, t e g oup does ot e c ude osp ta s, co pa es t at p o de ed ca equ p e t a d o p o t o ga at o s e a p e s t e attack on the "Memorial Health System" in August 2021 or more recently on the "Partnership HealthPlan of California", a non-profit organization. The following graph shows the total progress of the victims so far, indicating that the group is consolidating its role as one of the principal threats in the panorama. Figure 5: Hive Ransomware Victims Progress over time Another view of the same information is represented in the following graph, where the focus is pointed to highlight the month in which most victims were published on their leak site, which turns out to be July 2021, shortly after the group started. So, it means that the ransomware operators gathered a consistent number of victims during the startup phase, in order to create a solid placement inside the threat landscape. After that phase, the gang continued to threaten with huge aggression. ----- Figure 6: Hive Victims Per Month ## Hive v1 Hash 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1 Threat Ransomware Brief Description Hive Ransomware v1 SSDEEP 12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH _Table 1: Hive v1_ The first version, written in Golang, was a sophisticated encryptor program, but, due to the newness of the malicious activity, there is no track of obfuscation, and the strings can be easily seen, the following figure shows some of the available parameters: ----- Figure 7: Available parameters The initial effort of the gang was to make a product quite customizable according to the infection and the encryption process to perform. In this way, the malware writers provided a series of parameters to launch an ad-hoc infection profile. The following table describes all the available parameters found in this version: **Parameter** **Description** -kill Regex, names of the processes to kill. Default values: “mspub|msdesktop” -no-clean Skip clean disk space stage -skip Regex, names of the files to skip. Default values: “\\.lnk” -skip-before Skip files before a specific date. Defaut value: “03.09.2016” -stop Regex, names of the services to stop. Default values: "bmr|sql|oracle|postgres|redis|vss|backup|sstp" -t Number of threads _Table 2: Hive v1 Parameters_ Once the parameters are parsed, creating the desired infection profile, the control flow passes to the core malicious operations. ----- _Figure 8: Hive core function_ The locker sample proceeds to export the key, to kill the processes and services specified and to remove the shadow copies then it iterates the directories and starts encrypting the files. The core of the encryption scheme of Hive ransomware is a union of XOR+RSA algorithms. In the figure below we can see the XOR related routine: _Figure 9: Usage of XOR algorithm_ Then, in this first version, it uses “.hive” as extension to the encrypted files, later it is used a unique ID instead. Moreover, the RemoveItself **routine drops “hive.bat” to remove itself. But, since the second version of the malware calls the related function after the encryption is** complete: _Figure 10: hive.bat_ **RemoveShadowCopies drops “shadow.bat” to remove the shadow copies, from the second version will directly execute the command instead** of dropping a .bat: ----- _Figure 11: shadow.bat_ ## Hive V2 Hash 25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5 Threat Ransomware Brief Description Hive Ransomware v2 SSDEEP 12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgV:dod1HDmlDdkZ4YXPpaTTXMw Table 3: Hive v2 With the second version of Hive, the malware writers started to complicate the code in order to make the analysis more difficult for the analyst. The initial step is to obfuscate the “Go Build ID” header present in all golang- written binaries. _Figure 12: Strings comparison_ The simple trick causes that, when opening a disassembler, like IDA, the analyst can immediately see Golang not being recognized. However, a simple fix provides the overwriting of the build-id with a legit one. _Figure 13: “Go Build ID” patch_ In addition, now the strings are obfuscated, and the names of the functions present inside the main are not visible in cleartext: ----- _Figure 14: Obfuscated parameters_ In the following screen two different routines for the strings obfuscation is provided: _Figure 15: Strings decryption routines_ The help command has also changed, it has more default values, the “-t” and “-skip” parameters have been removed, “-grant” has been added and “-no-clean” renamed to “-no-wipe” **Parameter** **Description** -grant Grant permissions to all files -kill Regex, names of the processes to kill. Default values: "agntsvc|sql|CNTAoSMgr|dbeng50|dbsnmp|encsvc|excel|firefoxconfig|infopat -no-wipe Skip wipe of free space ----- -stop Regex, names of the services to stop. Default values: "acronis|AcrSch2Svc|Antivirus|ARSM|AVP|backup|bedbg|CAARCUpdateSvc|C |mfemms|mfevtp|MMS|MsDtsServer|MsDtsServer100|MsDtsServer110|msexchange|msmdsrv|MSOLAP|MVArmor|MVarmor64|NetM _Table 4: Hive v2 parameters_ The string obfuscation process does not impact the structure of the main function, following a comparison of these two versions. _Figure_ _16: Functions name comparison_ ## Hive V3 Hash 8a461e66ae8a53ffe98d1e2e1dc52d015c11d67bd9ed09eb4be2124efd73ccd5 Threat Ransomware Brief Description Hive Ransomware v3 SSDEEP 49152:gWVNVvSGbjmrb/T6vO90dL3BmAFd4A64nsfJuhQ8jmp4S3C5CEg+eNgiQJfOqAD:gWYQjPhQCmppnMfO _Table 5: Hive v3_ In this version the “-skip” parameter has been restored and, in another sample (3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21), we found a new parameter named “scan”: **Parameter** **Description** -scan Scan local network for shares _Table 6: Hive v3 Additional parameters_ Comparing the logs from the v1 we can spot the following differences: The key name is longer and it has a random extension It shows the time elapsed for the encryption of each file _Figure 17: Comparison of logs_ ----- ## Linux/FreeBSD version The third version of the development of Hive ransomware saw the porting of the codebase for other operating systems, such as Linux/FreeBSD and ESXi. The Linux (12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185) and FreeBSD (bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3) versions are almost identical to the Windows one, despite the obvious OS differences. One of those differences is the following function “KillNonRoot” aimed at killing all non-root processes: _Figure 18: “KillNonRoot” Function_ ## Hive v3 ESXI Hash 822d89e7917d41a90f5f65bee75cad31fe13995e43f47ea9ea536862884efc25 Threat Ransomware Brief Description Hive Ransomware v3 SSDEEP 3072:3Zp7gZzdfvjRCMj1Yk36ioyJ1zgjIlOhXYopNL+V7o0xvvkB/37Nt7xhew8A2Mz:P7gDj8S1Hlx14+opNClvk977ew8A2M _Table 7: Hive v3 ESXI_ In this case, the malware is written in C/C++, in order to have a better compatibility with the target operating system, the strings are not obfuscated, and we have found some new parameters: **Parameter** **Description** -no-stop Don’t stop virtual machines -low-cpu Single thread encryption _Table 8: Hive v3 ESXI Parameters_ After the routine of exporting the keys already seen in the previous paragraphs, the sample stops all the running virtual machines in order to encrypt them without problems: ----- _Figure 19: “Stopping virtual machines_ The ransom note contains also a reference to not delete or reinstall the virtual machines: _Figure 20: Ransom note_ As said, the objective of this version is to encrypt the virtual machines hosted on the ESXi server, so, the malware goes to find the virtual machines deployed on the server, by using a custom regex aimed at finding the words “vm” or “vs”. _Figure 21: Regex for ESXI version_ ## Hive v4 Hash 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277 Threat Ransomware Brief Description Hive Ransomware v4 SSDEEP 49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA:e2ANB04yIa0hsirubO _Table 9: Hive v4_ The fourth version of Hive locker is an effort to obfuscate also the code. We haven’t noticed new features or upgrades except for a more serious obfuscation of the code and changes in the details of the key generation and encryption. In detail, this version adopts the control flow flattering obfuscation technique, which is largely adopted by many attackers, thanks to its actual effectiveness. Below an example of that technique: ----- _Figure 22: Control flattening_ _obfuscation_ ## Hive v5 The fifth version of hive represents a sort of revolution inside the entire codebase. In this version, the major differences include the changing of the base programming language and the refinement encryption algorithm. Hash b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b Threat Ransomware Brief Description Hive Ransomware v5.2 SSDEEP 12288:BLF6OtM1z8JLbA689tSfvTvFSYIzp4yzhrWbttQfaa4Gxjzgdlo/AhwN/eh9z/E:BLF6gb0xqx9z/EO3BxhR _Table 10: Hive v5_ Hive is now written in Rust and for this reason the difficulty has increased, along with a complex encryption scheme makes the analysis harder even for experienced analysts. The refinement of the encryption process considers the passing from “XOR+RSA” of the previous versions, arriving to “ECDH+Curve25519+XChaCha20-Poly1305” For this version we found the following parameters: **Parameter** **Description** -no-local Don’t encrypt local files -no-mounted Don’t encrypt on mounted network volumes -no-discovery Don’t discover network volumes -local-only Encrypt only local files -network-only Encrypt only network volumes -explicit-only Encrypt specified folders -min-size Minimum file size -timerze-only N/A -da N/A _Table 11: Hive v5 parameters_ Once executed, the sample checks for the parameter “-u”, which should contain the “username:password” used as credentials for the victim and written in the ransom note, if this unique parameter is missing, the program exits. ----- _Figure 23: -u_ _parameter_ Even the routine to decrypt the ransom note changed. In this case, the protection of the ransom note relies on a XOR key. _Figure 24: Decrypted Ransom Note_ Another update is the expansion on the other drives. The sample generates an array of drive labels and uses GetDriveTypeW to check if the path is invalid: _Figure 25: Finding of logical drives_ Once the attached volumes are found, it calls FindFirstVolumeW and SetVolumeMountPointW to mount eventual unmounted volumes: ----- _Figure 26: Mounting_ _available volumes_ After that, the operation of privilege escalation is performed though abusing the “TrustedInstaller” service to recover its access token. In this way, the malware is able to read and write files with the same privileges of TrustedInstaller Group. _Figure_ _27: Retrieving TrustedInstaller access token_ Moreover, in the previous versions, we saw bat files and other escamotages for the erasing of the backup mechanisms provided by the Microsoft Environment. In the fifth version analyzed, there are the following tricks: vssadmin.exe delete shadows /all /quiet _Figure_ _28: vssadmin_ bcedit /set {default} bootstatuspolicy ignoreallfailures ----- _29: bcedit_ wbadmin delete systemstatebackup –keepversions:3 _30: wbadmin_ ## Conclusion _Figure_ _Figure_ Hive threat actor is one of the most sophisticated active threats. It does not care about the target, the only objective is to maximize the illicit profits, even by causing the interruption of critical services. The continuous development of the ransomware payload should not be underestimated, and in the same way organizations must upgrade their cyber protections. We at Yoroi ZLab believe that collaboration and sharing more information possible about attackers is the right way to pursue to defend these entities. We know that having to deal with these threats is challenging, so we are pointing to create the best expertise needed to handle such incidents whether they happen. In conclusion, we need to create a solid and reliable strategy to defend our customers. we encourage our customers to make assessments and awareness campaigns for their employees. The goal of the Defence Center of Yoroi is to guarantee the best protection in every phase of the attack, starting from the continuous monitoring arriving to the Incident Response engagements. ## Appendix ### Indicators of Compromise Hive v1 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1 (Sample) d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8 (shadow.bat) Hive v2: 25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5 Hive v3 8a461e66ae8a53ffe98d1e2e1dc52d015c11d67bd9ed09eb4be2124efd73ccd5 Hive v3 Linux/FreeBSD 12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185 (Linux) Bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3 (FreeBSD) Hive v3 ESXI ----- 8 d89e 9 d a90 5 65bee 5cad3 e 3995e 3 ea9ea53686 88 e c 5 Hive v4 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277 Hive v5.2 b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b ### Yara Rules ----- ``` { strings: $1 = {648b0d140000008b89000000003b61080f86e401000083ec40e8?2f?feff8b04248b4c240485c90f8556010000b94100000031d231db8d2d?4?? 6300eb0341d1e883f95a0f8f29010000a90100000074ed895c2434896c243c894c242489542430894424288d44242c} condition: $1 and uint16(0) == 0x5A4D } rule hive_v1_64_win { strings: $1 = { 65 4? 8b 0c ?5 28 00 00 00 4? 8b 89 00 00 00 00 4? 3b 61 10 0f 86 ?? ?? ?? ?? 4? 83 ec 40 4? 89 6c ?4 38 4? 8d 6c ?4 38 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 08 4? 8b 4c ?4 10 4? 83 7c ?4 08 00 0f 85 ?? ?? ?? ?? 4? 89 44 ?4 20 4? 89 4c ?4 18 4? 8b 44 ?4 48 4? 89 04 ?4 90 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 80 78 48 00 74 ?? 90 0f 57 c0 0f 11 44 ?4 28 4? 8d 05 ?? ?? ?? ?? 4? 89 ?? ?4 28 4? 8d 05 ?? ?? ?? ?? 4? 89 ?? ?4 30 4? 8d 44 ?4 28 4? 89 04 ?4 4? c7 44 ?4 08 01 00 00 00 4? c7 44 ?4 10 01 00 00 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 4? 89 44 ?4 50 4? 8b 44 ?4 18 4? 89 44 ?4 58 4? 8b 6c ?4 38 4? 83 c4 40 c3 4? 89 04 ?4 e8 ?? ?? ?? ?? eb ?? 4? 89 44 ?4 50 4? 89 4c ?4 58 4? 8b 6c ?4 38 4? 83 c4 40 c3 } condition: $1 and uint16(0) == 0x5A4D } rule hive_v2_v3_32_win { strings: //prenotify routine $1 = { 64 8b 0d 14 00 00 00 8b 89 00 00 00 00 3b 61 08 0f 86 ?? ?? ?? ?? 83 ec ?? c7 44 ?4 04 ?? ?? ?? ?? c7 04 ?4 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b 04 ?4 8b 4c ?4 04 c7 44 ?4 4c 00 00 00 00 c7 44 ?4 50 00 00 00 00 89 04 ?4 89 4c ?4 04 e8 ?? ?? ?? ?? 8b 44 ?4 08 8d 0d ?? ?? ?? ?? 89 4c ?4 4c 89 44 ?4 50 8d 44 ?4 4c 89 04 ?4 c7 44 ?4 04 01 00 00 00 c7 44 ?4 08 01 00 00 00 e8 ?? ?? ?? ?? 8b 44 ?4 68 89 04 ?4 e8 ?? ?? ?? ?? 8b 44 ?4 04 89 44 ?4 48 8b 4c ?4 08 89 4c ?4 38 31 d2 eb ?? } condition: $1 and uint16(0) == 0x5A4D } rule hive_v2_64_win { strings: $1 = {654?8b0c?5280000004?8b89000000004?8d44????4?3b41100f86????????4?81ec????????4?89ac??????????4?8dac??????????4? b8????????????????4?8904?4e8????????e8????????4?8b04?44?8b4c?4080f57c00f1184??????????4?8904?44?894c?408e8????????4?8b44?4104? 8d0d????????4?898c??????????4?8984??????????4?8d84??????????4?8904?44?c744?408010000004?c744?41001000000e8????????4?8b84?????????? 4?8904?40f1f440000e8????????4?8b44?4084?8b4c?4104?85c97e??4?89?c} condition: $1 and uint16(0) == 0x5A4D } rule hive_v3_v4_64_win { strings: $1 = {4? 3b 66 10 0f 86 ?? ?? ?? ?? 4? 83 ec 30 4? 89 6c ?4 28 4? 8d 6c ?4 28 4? 89 44 ?4 20 0f 1f 00 e8 ?? ?? ?? ?? 4? 85 c0 0f 85 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 85 c0 74 ?? 4? 8b 6c ?4 28 4? 83 c4 30 c3 4? 89 44 ?4 10 4? 89 5c ?4 18 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 89 c3 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 90 e8 ?? ?? ?? ?? 4? 8b 44 ?4 10 4? 8b 5c ?4 18 4? 8b 6c ?4 28 4? 83 c4 30 c3 4? 8b 6c ?4 28 4? 83 c4 30 c3} condition: $1 and uint16(0) == 0x5A4D } rule hive_v5_32_win { strings: $1 = {5589e553575681ec440400008b75108b7d0c89d3894dc88d85b0fbffff68000400006a0050e8???????? 83c40c0fbec3b9abaaaaaa8b0485c0b949008945e889f0f7e1d1ea8d045229c683f60389f0f7e131c9d1ea8d04528d570229c68b45148955cc8975e48b00} condition: $1 and uint16(0) == 0x5A4D } rule hive_v5_64_win { strings: $1 = {4157415641554154565755534881ec880400004c89cd448844243789d648894c2450488b9c24f0040000488bbc24f8040000488d8c248800000041b80004000031d 00480fbec6488d0d?????? 004c8b24c148b9abaaaaaaaaaaaaaa4889d848f7e148d1ea488d04524989de4929c64983f6034c89f048f7e148d1ea488d04524929c6488b07} di i ``` ----- ``` } rule hive_v3_esxi { strings: $s1 = "+ prenotify %s" $s2 = "Stopping VMs" $s3 = "(.+)\\.(.+?)\\.%s$" $s4 = "\\.(vm|vs)\\w+$" $c = {f3 0f 1e fa 55 4? 89 e5 4? 83 ec 20 4? 89 7? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 89 4? ?? 83 7? ?? 00 74 ?? 8b 4? ?? eb ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 89 4? ?? 83 7? ?? 00 74 ?? 4? 8d 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b 4? ?? eb ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? b8 00 00 00 00 c9 c3} condition: (all of ($s*) or $c) and uint32(0) == 0x464C457F } ``` _This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB_ [Download The Report](https://yoroi.company/wp-content/uploads/2022/07/Yoroi-On-The-Footsteps-of-Hive-Ransomware.pdf) -----