The FBI released a Flash Alert on August 25, 2021 warning organizations about the Hive ransomware that has affected at least 28 organizations ...
Jorge Orchilles
4 min. read
02 Sep 2021
The FBI released a Flash Alert on August 25, 2021 warning organizations about the Hive ransomware that has affected at least 28 organizations including Memorial Health. This ransomware is new, first observed in June 2021, but operates like most ransomware we track: disabling endpoint security solutions and services, deleting backups and event logs, exfiltrating and encrypting data, and extorting the target into paying a ransom before getting access back to their systems.
We first heard of the Hive Ransomware when Memorial Health released a statement about the attack. Unfortunately the information provided did not include actionable intelligence to emulate the new threat. OnAugust 25, 2021, the FBI released a Flash Alert with more details but without MITRE ATT&CK mapping:
Hive ransomware, which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.
After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks.”
The Hive ransomware has affected at least 28 organizations including Memorial Health since June 2021. It operates like most ransomware: disabling endpoint security solutions and services, deleting backups and event logs, exfiltrating and encrypting data, and extorting the target into paying a ransom before getting access back to their systems.
Initial Access
T1566 - Phishing
Execution
T1059.001 - Command and Scripting Interpreter: PowerShell T1059.003 - Command and Scripting Interpreter: Windows Command Shell T1047 - Windows Management Instrumentation
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1562.001 - Impair Defenses: Disable or Modify Tools
Collection
T1074.001 - Local Data Staging T1560 - Archive Collected Data
Exfiltration
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
Impact
T1486 - Data Encrypted for Impact T1489 - Service Stop T1490 - Inhibit System Recovery T1491.001 - Internal Defacement
Adversary Emulation Plan
The FBI alert provided some procedures which are always welcome from Cyber Threat Intelligence providers. We packed the plan up and shared it in our Community Threats GitHub. We added a note as this threat is destructive:
Note this threat, if executed with administrative privileges, will disable services, delete Volume Shadow Copies, delete Windows Event Logs, and modify bootup. For testing purposes, you may want to test in non-production, make an offline backup, and/or or take a snapshot.
To execute with SCYTHE:
Download and import the threat in JSON format to your SCYTHE instance
Download the Virtual File System (VFS) files under the VFS folder
Upload the VFS files to your SCYTHE VFS in the following location: VFS:/shared/Hive
Create a new campaign, selecting HTTPS, and configure your HTTPS communication options.
Import from Existing Threat: Hive
Launch Campaign
Download the EXE and rename it to Winlo_dump_64_SCY.exe
To execute this attack chain manually, you can open an elevated command line interface and run:
Of course the manual method will be manual and not include a number of the TTPs that would make this more realistic. If you do use SCYTHE, you will see the client have data exfiltrated and encrypted, a hive key file, and the ransom note open on your desktop:
Detect & Respond
Like most ransomware, you will want to be able to detect and respond to the attack on the “left of boom” where boom is exfiltration and encryption. Most ransomware is very noisy. Here are some items to consider detecting to respond to Hive ransomware before boom:
Detecting Command and Control is an area where most Endpoint Detection and Response solutions lack. Consider some of the Network Detection and Response solutions for this use case which is prevalent in most attacks.
Detect attempts of escalation of privilege - Hive requires administrative privileges to stop services, clear logs, and modify the bootup process.
Train your team to respond to alerts quickly as a way to limit impact.
For preventive controls, check out the recommendation from the FBI Alert.
Conclusion
You can use SCYTHE to emulate the Hive Ransomware recently alerted by the FBI to attack, detect, and respond to adversary behaviors. As ransomware evolves, the indicators of compromise will change leaving you in a reactive vs. a proactive stance. In this post, we took the FBI alert, extracted the tactics, techniques, and procedures (TTPs), and mapped them to MITRE ATT&CK. We then created and shared the Hive ransomware emulation plan you can easily import into SCYTHE to test your people, process, and technology. If you are not a SCYTHE customer or would like help running an adversary emulation, let us know.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.