Tactics of the Hive ransomware network and the critical role of DNS in mitigation

After almost a year of covert activity, the Federal Bureau of Investigation (FBI) has shut down the Hive ransomware threat actors. In essence, the FBI has successfully hacked the hackers. Working in conjunction with law enforcement partners in Europe, all of the Hive services and websites were shut down.

As it turns out, the FBI covertly infiltrated the Hive network and stopped over $130 million in ransom demand activity which was active. Since approximately late in July, 2022, the FBI compromised and penetrated the Hive computer networks, captured their decryption keys and then, in turn, offered these encryption keys to victims worldwide. Over 300 decryption keys have been distributed to Hive victims currently under attack and 1,000 additional decryption keys went to previous Hive victims.

And it’s not a moment too soon. Major institutions have been getting pummeled by data breaches due to ransomware and often suffer losses that run into the many millions of dollars. This is all due to malicious threat actors like those that run the Hive network. The Hive ransomware group has targeted more than 1,500 victims around the world and received over $100 million in ransom payments since June 2021. Victims of Hive’s malicious operations have included India’s Tata Power, Costa Rica’s public health organization, German retail giant Media Markt, Indonesia’s state gas energy company, and several US hospital groups.

During a news conference the FBI Director Christopher Wray said the operation to dismantle Hive’s infrastructure was done in coordination with partners in Germany, the Netherlands, and Europol. In conjunction with partners the FBI took down Hive’s servers and websites. US officials have not revealed additional data about the Hive threat actors or whether any arrests are pending as the investigation continues. But the FBI Director noted that, “anyone involved with Hive should be concerned.”

Hive operated as a ransomware service, allowing anyone to hire its software and services to hack into and lock down a target’s IT systems and process payments. Hive and the client would then share the profits from the extortion. The hackers would demand large payments, often in cryptocurrency, in exchange for freeing up the systems. If victims refused to pay, Hive would publish confidential internal files and documents on the internet.

Hive Ransomware tactics
Hive’s tactics, techniques, and procedures include:

Hive ransomware uses the RaaS model:
Hive uses a ransomware as a service (RaaS) model which involves developers, affiliates, and their administrators. RaaS is a subscription model (like commercial SaaS software) where the Hive threat actors develop the ransomware and a user interface that allows a relatively unsophisticated affiliate to use the ransomware against intended victims. For each successful ransom payment, the Hive affiliates receive 20% of the ransom amount.

Hive double extortion:
Hive threat actors use what is called a double extortion model. Prior to encrypting the victim’s system, the affiliate would steal sensitive data. Then the affiliate could seek a ransom for both the decryption key necessary to decrypt the victim’s system and their promise to not publish the stolen data. By targeting the most sensitive data in the victim’s system it would naturally increase the pressure to pay. Hive published the data of victims who do not pay on the Hive Leak Site.

Hive Initial access:
The threat actors may use various methods to gain initial access to a victim’s network, such as exploiting vulnerabilities in software, phishing emails, or using stolen credentials. Per the CISA alert on Hive, the technique used for the initial attack vector will depend on which of the affiliate organizations targets the victim’s network. Hive threat actors have used many different techniques that have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols [T1133]. Hive threat actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE) CVE-2020-12812. This vulnerability enables a malicious cyber actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username. Hive threat actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments and by exploiting vulnerabilities against Microsoft Exchange servers

Network reconnaissance:
Once inside the network threat actors will conduct reconnaissance to identify and map out the organization’s systems and data.

Lateral movement:
The threat actors move laterally as opportunity presents itself within the network to gain access to more systems and servers, and the data they contain. Hive terminates computer backup and restore, antivirus and antispyware, and file copying as a strategy to avoid anti-malware defenses.

Encryption process:
Once the data is identified, the threat actors will have the ransomware begin the encryption process. Hive saves encrypted files with a .hive extension and also creates batch files hive.bat and shadow.bat. These contain commands for the computer to delete the Hive executable, disc backup copies or snapshots, and the batch files. The goal of this activity is to reduce or eliminate forensic evidence. At this point Hive drops a ransom note, HOW_TO_DECRYPT.txt, into each affected directory. The ransom note explains that encrypted files are not decryptable without the master key, which is in the threat actors’ possession.

Ransom demand:
After encrypting the data, the Hive threat actors will demand a ransom payment in exchange for the decryption key. Further, in exchange for payment they will promise not to release the stolen data. The threat actors provide the login details for the TOR website that the victim can use to pay the ransom, and threaten to leak the victim’s sensitive data on the HiveLeaks TOR website. The threat actors also offered live chat on their TOR website, and sometimes have called the victims directly and demanded a payment in return for the master key. Payment deadlines have seemed to be in a range from approximately 2 to 6 days. On several occasions the threat actors lengthened the deadline after establishing communication with the targeted victim company.

Payment:
Bitcoin or a similar cryptocurrency are used for payment, and as such are normally difficult to impossible for law enforcement to trace.

Decryption and data recovery:
In theory, the victim obtains the decryption key after payment. Of course, there are no guarantees with most ransomware operators that the encryption key will work, or that the data will not be published. In some cases ransomware operators return and attempt to ransom the same organization for a 2nd time.

DNS Security is a Critical Part of Preventing Ransomware
DNS security must be a critical part of your ransomware strategy. Threat actors use DNS at one or more stages of the cyber kill chain. This is true for the ransomware they deploy, as well as other malware tools they use. DNS can be used during the reconnaissance phase when it is a targeted attack, or in the delivery phase as potential victims unknowingly make DNS queries for IP addresses involved in the attack.

The exploitation phase may involve DNS queries when the victim’s system is compromised and infected. DNS is also frequently used when an infected system checks in with the command and control (C&C) infrastructure. Using threat intelligence and analytics on your internal DNS can detect and block such malicious activity early before ransomware spreads or downloads the encryption software.