Technical Details for Recent Hive Ransomware Activity

The prolific Hive ransomware continues to compromise organizations across global regions and industries using sophisticated tactics.
Hacker working at computer terminal
Share on twitter
Share on linkedin

Context

The Hive ransomware variant has been extremely active in the past year. The ransomware was originally discovered in June of 2021, and reportedly is responsible for more than 300 compromises since September 2021. The FBI released a notice warning the public of the threat in August 2021 after Hive ransomware compromised dozens of medical facilities. This campaign against healthcare targets continues to the present day.

The Hive ransomware group is known to:

  • leverage common vulnerabilities.
  • use double extortion practices against targets.
  • specifically target Linux servers.
  • leak data from targets that refuse to pay on their public “HiveLeaks” blog.
  • provide faulty decryption tools to targets that do pay their ransom.

In a recent report, Varonis outlined the following process for Hive ransomware attacks leveraging Proxyshell vulnerabilities in Microsoft Exchange servers:

  1. Hive exploited ProxyShell vulnerabilities in Exchange servers, then placed a malicious backdoor script called webshell in a public directory on the server.
  2. The PowerShell cod downloaded stagers from a remote command and control (C2) server associated with Cobalt Strike.
  3. Using system permissions, Hive created a new system administrator account named “user” and began the credential dumping stage with Mimikatz.
  4. Hive then stole the admin NTLM hash to use in a Pass-the-Hash attack to hijack the domain admin account.
  5. Hive conducted network discovery activity such as searching for password files, dropping network scanners, and collecting IP addresses and device names
  6. Hive delivered the custom payload titled “Windows[.]exe” which executed on several devices, encrypting devices and files, and displaying a plain text ransomware note for victims.

Sector Impact

Since it emerged, Hive has been a prolific ransomware entity across multiple industries and global regions. Argentina, Brazil, the United States, Thailand, and Italy are reportedly the most common countries targeted with Hive ransomware, with some of the most commonly targeted industries being healthcare, technology, finance, retail, materials, travel, apparel, and telecommunications.

Many RH-ISAC members operate directly in or work closely with suppliers that fall into one or more of these categories. As such, members should remain vigilant about Hive activity, as well as technical details that emerge about the ransomware strain. The best protections against Hive include cybersecurity fundamentals such as regular audits, configuration checks, patches and updates, and updated policy and plans.

IOCs

The following IOCs were provided by Varonis, SentinelONE, and TrendMicro: 

Domains  IPs  File Names  Hashes 
service-kibkxcw1-1305343709[.]bj[.]apigw[.]tencentcs[.]com:80  139[.]60[.]161[.]228  Windows[.]exe  6c9ad4e67032301a61a9897377d9cff8  
service-5inxpk6g-1304905614[.]gz[.]apigw[.]tencentcs[.]com  139[.]60[.]161[.]56  Mimikatz[.]exe  655979d56e874fbe7561bb1b6e512316c25cbb19 
  91[.]208[.]52[.]149  advanced_port_scanner_2[.]5[.]3869[.]exe  6a58b52b184715583cda792b56a0a1ed  
  185[.]70[.]184[.]8  advanced port scanner[.]exe  3477a173e2c1005a81d042802ab0f22cc12a4d55 
  103[.]146[.]179[.]89  scan[.]exe  4fdabe571b66ceec3448939bfb3ffcd1  
  103[.]146[.]179[.]89  p[.]bat  763499b37aacd317e7d2f512872f9ed719aacae1 
  1[.]15[.]80[.]102  Webshell 1  bb7c575e798ff5243b5014777253635d  
  175[.]178[.]62[.]140  Webshell 2  2146f04728fe93c393a74331b76799ea8fe0269f 
  84[.]32[.]188[.]238  main[.]py  5e1575c221f8826ce55ac2696cf1cf0b  
    xxx[.]exe  ecf794599c5a813f31f0468aecd5662c5029b5c4 
    zzz[.]exe  d46104947d8478030e8bcfcc74f2aef7  
    xxx[.]000  d1ef9f484f10d12345c41d6b9fca8ee0efa29b60 
    mmm[.]exe  2401f681b4722965f82a3d8199a134ed  
    windows[.]exe  2aee699780f06857bb0fb9c0f73e33d1ac87a385 
    linux  d83df37d263fc9201aa4d98ace9ab57efbb90922 
    C:\ProgramData\nds[.]dll/nds[.]dll  49fa346b81f5470e730219e9ed8ec9db8dd3a7fa 
    791251-1632642588[.]exe  fa8795e9a9eb5040842f616119c5ab3153ad71c8 
    %SYSTEMROOT%\Temp\xxx[.]exe  6b5036bd273d9bd4353905107755416e7a37c441 
    c:\Users\Public\Music\lapress_32[.]exe  8a4408e4d78851bd6ee8d0249768c4d75c5c5f48 
    Bk74AE[.]tmp/PCHunter64[.]exe  49fa346b81f5470e730219e9ed8ec9db8dd3a7fa 
    gmer[.]exe  6e91cea0ec671cde7316df3d39ba6ea6464e60d9 
    %SYSTEMROOT%\winlo[.]exe  24c862dc2f67383719460f692722ac91a4ed5a3b 
    ac[.]exe  415dc50927f9cb3dcd9256aef91152bf43b59072 
    7zip[.]exe  2ded066d20c6d64bdaf4919d42a9ac27a8e6f174 
    psexec  27b5d056a789bcc85788dc2e0cc338ff82c57133 
      065de95947fac84003fd1fb9a74123238fdbe37d81ff4bd2bff6e9594aad6d8b 
      0809e0be008cb54964e4e7bda42a845a4c618868a1e09cb0250210125c453e65 
      12d2d3242dab3deca29e5b31e8a8998f2a62cea29592e3d2ab952fcc61b02088 
      130c062e45d3c35ae801eb1140cbf765f350ea91f3d884b8a77ca0059d2a3c54 
      39629dc6dc52135cad1d9d6e70e257aa0e55bd0d12da01338306fbef9a738e6b 
      5086cc3e871cf99066421010add9d59d321d76ca5a406860497faedbb4453c28 
      56c5403e2afe4df8e7f98fd89b0099d0e2f869386759f571de9a807538bad027 
      60cfce921a457063569553d9d43c2618f0b1a9ab364deb7e2408a325e3af2f6f 
      6240193f7c84723278b9b5e682b0928d4faf22d222a7aa84556c8ee692b954b0 
      6a222453b7b3725dcf5a98e746f809e02af3a1bd42215b8a0d606c7ce34b6b2b 
      6bdd253f408a09225dee60cc1d92498dac026793fdf2c5c332163c68d0b44efd 
      9c90c72367526c798815a9b8d58520704dc5e9052c41d30992a3eb13b6c3dd94 
      9cd407ea116da2cda99f7f081c9d39de0252ecd8426e6a4c41481d9113aa523e 
      a586efbe8c627f9bb618341e5a1e1cb119a6feb7768be076d056abb21cc3db66 
      c384021f8a68462348d89f3f7251e3483a58343577e15907b5146cbd4fa4bd53 
      c76671a06fd6dd386af102cf2563386060f870aa8730df0b51b72e79650e5071 
      e452371750be3b7c88804ea5320bd6a2ac0a7d2c424b53a39a2da3169e2069e9 
      e9bb47f5587b68cd725ab4482ad7538e1a046dd41409661b60acc3e3f177e8c4 
      e9da9b5e8ebf0b5d2ea74480e2cdbd591d82cd0bdccbdbe953a57bb5612379b0 
      efbdb34f208faeaebf62ef11c026ff877fda4ab8ab31e99b29ff877beb4d4d2b 
      f248488eedafbeeb91a6cfcc11f022d8c476bd53083ac26180ec5833e719b844 
      e61ecd6f2f8c4ba8c6f135505005cc867e1eea7478a1cbb1b2daf22de25f36ce 
      f07a3c6d9ec3aeae5d51638a1067dda23642f702a7ba86fc3df23f0397047f69 
      7667d0e90b583da8c2964ba6ca2d3f44dd46b75a434dc2b467249cd16bf439a0 
      75244059f912d6d35ddda061a704ef3274aaa7fae41fdea2efc149eba2b742b3 
      7e8dd90b84b06fabd9e5290af04c4432da86e631ab6678a8726361fb45bece58 
      fd3e7d0f6a31b821604707ef99da281e4fd7d11c7804e46eeed11f66b200a391 
      321d0c4f1bbb44c53cd02186107a18b7a44c840a9a5f0a78bdac06868136b72c 
      be1565961e123f52e54e350e0ca2666f8ffa42fdc46df18dca6f7c0ac2b43d23 
      3ec89b737c5b91eb9da0a2d9c6c1f0e637087b4552e26806d959c11f8f06e96f 
      1e21c8e27a97de1796ca47a9613477cf7aec335a783469c5ca3a09d4f07db0ff 
      fdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf 
      c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11 
      88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1 
      a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749 
      5954558d43884da2c7902ddf89c0cf7cd5bf162d6feefe5ce7d15b16767a27e5 
      77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618 
      612e5ffd09ca30ca9488d802594efb5d41c360f7a439df4ae09b14bce45575ec 
      a290ce75c6c6b37af077b72dc9c2c347a2eede4fafa6551387fa8469539409c7 
      977b2ce598bd6518913fe216d1139c041e159a6510cd71a6a14a49570c1019be 
      e8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 
      d1aa0ceb01cca76a88f9ee0c5817d24e7a15ad40768430373ae3009a619e2691 
      8f3c5f9cd657e3785d751305023cf83a7f27780d5441817614d442e28dbe3ac4 
      c367ab50c1f103963da0f0404eeda46c9e768711797d638afa1c4cf740575613 
      fdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf 
      ed614cba30f26f90815c28e189340843fab0fe7ebe71bb9b4a3cb7c78ff8e3d2 
      1e21c8e27a97de1796ca47a9613477cf7aec335a783469c5ca3a09d4f07db0ff 
      fdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf 
      c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11 
      a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749 
      5954558d43884da2c7902ddf89c0cf7cd5bf162d6feefe5ce7d15b16767a27e5 
      77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618 
      e514be3e997895c7e3ece03549c8cb6b5700fe8f814948ed201ca59daa8733fb 
      7b7f13ab85bc78849e04a5589c84f0ec1847460106c03ca3db84703c7af054f3 
      bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3 
      6983ef6e484c0c70356d6f868ac03bc90a1055560642706743511f76aa6f28ad 
      6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0 
      5d95bf2518918422a6cac03f90548f02a5848dbc43836868636b61d0a87ed968 
      47006ed84afb1f1fd761b81f3ae7b6547c0cb4845538301035e1388693fc6f7f 
      25793a0764a51b38806b7dcf5f5d8df9620f090f72362aa03187c8813e054482 
      7b7f13ab85bc78849e04a5589c84f0ec1847460106c03ca3db84703c7af054f3 
      5d95bf2518918422a6cac03f90548f02a5848dbc43836868636b61d0a87ed968 
      d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac 
      5d95bf2518918422a6cac03f90548f02a5848dbc43836868636b61d0a87ed968 
      bd6d8f7c9e016dd7395ee7f0f8485de622a9b034b7c5d2e1af25cb762dd8d8c9 
      0e8e6fc94e6eb17cfd8993b3dcfd9acd11ee32f1b4e956df3097ae3259be4f9c 
      875708f911752bef7e2ef0658d395ebeccef774d5fdb74f6e9ee60b52d86cbf0 
      5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584 
      baa7a6e5a093ee6be47eca86e5acbcba196c7d1d35662eecad23ec870702116a 
      a2ad0442cebe3e6abb86069a3b66b471b4a7c9d00286da4b8114d17a849128d6 
      321d0c4f1bbb44c53cd02186107a18b7a44c840a9a5f0a78bdac06868136b72c 
      6bd3adc7e43e20ede1a82ad1469cc7ecd085b324621edbd4ec23db4e4473895f 

Yara Rules

The following Yara rules were provided by SentenalOne:

import “pe”

 

rule IPfuscatedCobaltStrike

{

meta:

description = “IPfuscated Cobalt Strike shellcode”

author = “James Haughom @ SentinelLabs”

date = “2022-3-24”

hash = “49fa346b81f5470e730219e9ed8ec9db8dd3a7fa”

reference = “https://s1.ai/ipfuscation”

 

strings:

/*

This rule will detect IPfuscated Cobalt Strike shellcode

in PEs.

 

For example:

IPfuscated | binary representation | instruction

++++++++++++++++++++++++++++++++++++++++++++++++++++++

“252.72.131.228” | 0xE48348FC | CLD …

“240.232.200.0” | 0xC8E8F0 | CALL …

*/

$ipfuscated_payload_1 = “252.72.131.228”

$ipfuscated_payload_2 = “240.232.200.0”

$ipfuscated_payload_3 = “0.0.65.81”

$ipfuscated_payload_4 = “65.80.82.81”

$ipfuscated_payload_5 = “86.72.49.210”

$ipfuscated_payload_6 = “101.72.139.82”

$ipfuscated_payload_7 = “96.72.139.82”

$ipfuscated_payload_8 = “24.72.139.82”

$ipfuscated_payload_9 = “32.72.139.114”

$ipfuscated_payload_10 = “80.72.15.183”

$ipfuscated_payload_11 = “74.74.77.49”

$ipfuscated_payload_12 = “201.72.49.192”

$ipfuscated_payload_13 = “172.60.97.124”

$ipfuscated_payload_14 = “2.44.32.65”

$ipfuscated_payload_15 = “193.201.13.65”

$ipfuscated_payload_16 = “1.193.226.237”

$ipfuscated_payload_17 = “82.65.81.72”

$ipfuscated_payload_18 = “139.82.32.139”

$ipfuscated_payload_19 = “66.60.72.1”

$ipfuscated_payload_20 = “208.102.129.120”

 

condition:

// sample is a PE

uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and

5 of ($ipfuscated_payload_*)

}

 

rule IPfuscationEnumUILanguages

{

meta:

description = “IPfuscation with execution via EnumUILanguagesA”

author = “James Haughom @ SentinelLabs”

date = “2022-3-24”

hash = “49fa346b81f5470e730219e9ed8ec9db8dd3a7fa”

reference = “https://s1.ai/ipfuscation”

 

strings:

// hardcoded error string in IPfuscated samples

$err_msg = “ERROR!”

 

condition:

// sample is a PE

uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and

$err_msg and

// IPfuscation deobfuscation

pe.imports(“ntdll.dll”, “RtlIpv4StringToAddressA”) and

// shellcode execution

pe.imports (“kernel32.dll”, “EnumUILanguagesA”)

}

 

rule IPfuscationHellsGate

{

meta:

description = “IPfuscation with execution via Hell’s Gate”

author = “James Haughom @ SentinelLabs”

date = “2022-3-24”

hash = “d83df37d263fc9201aa4d98ace9ab57efbb90922”

reference = “https://s1.ai/ipfuscation”

 

strings:

$err_msg = “ERROR!”

 

/*

Hell’s Gate / direct SYSCALLs for calling system routines

 

4C 8B D1 mov r10, rcx

8B 05 36 2F 00 00 mov eax, cs:dword_140005000

0F 05 syscall

C3 retn

*/

$syscall = { 4C 8B D1 8B 05 ?? ?? 00 00 0F 05 C3 }

 

/*

SYSCALL codes are stored in global variable

 

C7 05 46 2F 00 00 00 00 00 00 mov cs:dword_140005000, 0

89 0D 40 2F 00 00 mov cs:dword_140005000, ecx

C3 retn

*/

$set_syscall_code = {C7 05 ?? ?? 00 00 00 00 00 00 89 0D ?? ?? 00 00 C3}

 

condition:

// sample is a PE

uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and

all of them and

// IPfuscation deobfuscation

pe.imports(“ntdll.dll”, “RtlIpv4StringToAddressA”)

}

 

rule IPfuscatedVariants

{

meta:

author = “@Tera0017/@SentinelOne”

description = “*fuscation variants”

date = “2022-3-28”

hash = “2ded066d20c6d64bdaf4919d42a9ac27a8e6f174”

reference = “https://s1.ai/ipfuscation”

 

strings:

// x64 Heap Create/Alloc shellcode

$code1 = {33 D2 48 8B [2-3] FF 15 [4] 3D 0D 00 00 C0}

// x64 RtlIpv4StringToAddressA to shellcode

$code2 = {B9 00 00 04 00 FF [9] 41 B8 00 00 10 00}

 

condition:

any of them

}

More Recent Blog Posts