Hackers Behind Hive Ransomware

The FBI recently asserted that there have been thousands of companies have been targeted by the notorious Hive ransomware gang since June 2021. 

During that time frame, the operators of the Hive ransomware gang extorted a total sum of approximately $100 million. 

As a result of the Hive gang’s offensive operation, victims will be exposed to additional ransomware payloads on their networks which will cause further damage to them.

Approximately US$100 million in ransom payments have been collected by Hive ransomware actors as of November 2022, and they collected this hefty amount from more than 1,300 companies globally.

EHA

Moreover, when the victim organizations have restored their networks without paying any ransom for the restoration of their networks, hive actors have been known to reinfect the networks of these organizations again.

Critical Organization Targeted

There are many organizations from a wide range of sectors and industries listed as victims of this attack in addition to a number of critical infrastructure sectors. There are several victims listed in the victim list, including:-

  • Government facilities
  • Communications
  • Information technology
  • Healthcare entities
  • Public Health (HPH) entities

Platforms Targeted by Ransomware Gang

There has been a disclosure of this in connection with a joint advisory issued with these two organizations:- 

  • Cybersecurity and Infrastructure Security Agency (CISA)
  • Department of Health and Human Services (HHS)

The joint advisory released by the FBI in its investigation of Hive ransomware attacks includes the Hive IOCs and TTPs that were employed by the operators.

In order to penetrate a network, the affiliate targeting the network determines the manner in which the intrusion takes place. Actors of the Hive have exploited solitary authentication to gain access to victims’ networks and to do so, they have abused the following mediums:- 

  • Remote Desktop Protocol (RDP)
  • Virtual private networks (VPNs)
  • Other remote network connection protocols

There have been instances when Hive actors have managed to circumvent MFA and gain access to FortiOS servers in this manner.

A number of vulnerabilities in Microsoft Exchange servers have also been exploited by Hive actors to gain access to victim networks.

  • CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
  • CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-34523 – Microsoft Exchange Server Privilege Escalation Vulnerability

It has also been noted that Hive ransomware is also capable of infecting the following platforms apart from Windows:-

  • Linux
  • VMware ESXi
  • FreeBSD

Here below is the ransom note used by the threat actors:-

Mitigations

It is recommended that organizations follow these mitigations as recommended by the FBI, CISA, and HHS:-

  • The network must be verified to be no longer accessible by Hive actors.
  • Once an operating system, software, and firmware update has been released, it is important to install it immediately. 
  • The data should be backed up offline regularly, and backups and restorations of the data must be performed on a regular basis.
  • It is essential to encrypt all backup data before saving it.
  • Ensure that PowerShell logging is enabled.
  • It is recommended that you install an enhanced monitoring tool.
  • It is essential to isolate the system that is infected.
  • You should turn off any other computers or devices that are not in use.
  • Backups should be secured in order to prevent data loss.

Azure Active Directory Security – Download Free E-Book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.