New Incident Report Uncovers Hive Ransomware’s Targeting Tactics against Organizations

A Hive ransomware incident recently targeted an unspecified organization, leveraging vulnerabilities in Microsoft Exchange Server known as “ProxyShell” to conduct a swift attack that culminated in network encryption within 72 hours of initial compromise. This information was shared by Nadav Ovadia, a security researcher from Varonis, in a detailed post-mortem of the event.

First identified in June 2021, Hive operates under a ransomware-as-a-service (RaaS) model, a method increasingly favored by cybercriminals, allowing affiliates to deploy the sophisticated malware once they breach victim systems. In this instance, it appears that the attackers exploited known vulnerabilities tracked as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, primarily involving a combination of security feature bypass, privilege escalation, and remote code execution.

The flaws were addressed by Microsoft as part of its Patch Tuesday updates in April and May of 2021; however, this incident underscores the importance of timely patch management. By successfully exploiting these vulnerabilities, the attackers managed to install web shells on the affected servers. This enabled them to execute malicious PowerShell commands with SYSTEM privileges, create unauthorized administrator accounts, and hijack domain admin credentials for lateral movement within the network.

This attack involved the use of web shells downloaded from a public GitHub repository, cleverly renamed with a random assortment of characters to evade detection. The adversaries also employed an obfuscated PowerShell script linked to the Cobalt Strike framework to further enhance their control over the system.

Following the establishment of this foothold, the attackers systematically scanned the network for sensitive files before deploying a Golang-based ransomware executable, dubbed “Windows.exe,” which initiated the encryption process and subsequently showcased a ransom note to the victim.

To evade detection and hinder recovery efforts, the ransomware was programmed to delete shadow copies, disable security protocols, and erase Windows event logs. These actions illustrate a typical adversarial approach that aligns with several tactics outlined in the MITRE ATT&CK framework, including initial access via exploitation of software vulnerabilities, lateral movement, and data encryption for ransom.

This incident reaffirms the critical necessity of patch management and underscores the continued threat posed by ransomware, which has escalated in frequency and sophistication. Ovadia emphasized the potential repercussions of such attacks on businesses, indicating not only financial loss but also enduring damage to reputations, disruption of operations, and the risk of sensitive data permanently compromised.