Indicators of Compromise Associated with Hive Ransomware

Fortify Security Team
Sep 8, 2021
Hive ransomware, which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.

After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks.”

Technical Details

Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a .hive extension. The Hive ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second in order to perform cleanup after the encryption is finished by deleting the Hive executable and the hive.bat script. A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim and then deletes the shadow.bat file. During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*. The ransom note, “HOW_TO_DECRYPT.txt” is dropped into each affected directory and states the *key.* file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered. The note contains a “sales department” link, accessible through a TOR browser, enabling victims to contact the actors through a live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files. The initial deadline for payment fluctuates between 2 to 6 days, but actors have prolonged the deadline in response to contact by the victim company. The ransom note also informs victims that a public disclosure or leak site, accessible on a TOR browser, contains data exfiltrated from victim companies who do not pay the ransom demand.

Indicators of Compromise

The following indicators were leveraged by the threat actors during Hive ransomware compromises. Some of these indicators might appear as applications within your enterprise supporting legitimate purposes; however, these applications can be used by threat actors to aid in further malicious exploration of your enterprise. The FBI recommends removing any application not deemed necessary for day-to-day operations.

Hive Tor Domain: http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion

Winlo.exe
MD5: b5045d802394f4560280a7404af69263
SHA256: 321d0c4f1bbb44c53cd02186107a18b7a44c840a9a5f0a78bdac06868136b72c
File Path Observed: C:\Windows\SysWOW64\winlo.exe
Description: Drops 7zG.exe

7zG.exe
MD5: 04FB3AE7F05C8BC333125972BA907398
Description: This is a legitimate 7zip, version 19.0.0 Drops Winlo_dump_64_SCY.exe

Winlo_dump_64_SCY.exe
MD5: BEE9BA70F36FF250B31A6FDF7FA8AFEB
Description: Encrypts files with *.key.* extension Drops HOW_TO_DECRYPT.txt

HOW_TO_DECRYPT.txt
Description: Stops and disables Windows Defender

  • Deletes all Windows Defender definitions
  • Removes context menu for Windows Defender
  • Stops the following services and disables them from restart
  • LanmanWorkstation
  • SamSs
  • SDRSVC
  • SstpSVc
  • UI0Detect
  • Vmicvss
  • Vmss
  • VSS
  • Wbengine
  • Unistoresvc
  • Attempts to delete Volume Shadow Copies (vssadmin and wmic) Deletes Windows Event Logs -> System, Security, Application
    and powershell
  • Uses notepad++ to create key file
  • Changes bootup to ignore errors and not attempt recovery
  • Drops PowerShell script

Other IOCs
*.key.hive
*.key.*
HOW_TO_DECRYPT.txt
hive.bat
shadow.bat
vssadmin.exe delete shadows /all /quiet
wmic.exe SHADOWCOPY /nointeractive
wmic.exe shadowcopy delete
wevtutil.exe cl system
wevtutil.exe cl security
wevtutil.exe cl application
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no

Anonymous File Sharing Links
https://anonfiles.com
https://mega.nz
https://send.exploit.in
https://ufile.io
https://www.sendspace.com

Sample Ransom Note

Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.

To decrypt all the data or to prevent exfiltrated files to be disclosed at
http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/
you will need to purchase our decryption software.

Please contact our sales department at:
REDACTED
Login: REDACTED
Password: REDACTEDTo get access to .onion websites download and install Tor Browser at:

https://www.torproject.org/ (Tor Browser is not related to us)

Follow the guidelines below to avoid losing your data:
– Do not shutdown or reboot your computers, unmount external storages.
– Do not try to decrypt data using third party software. It may cause irreversible damage.
– Do not fool yourself. Encryption has perfect secrecy and it’s impossible to decrypt without knowing the key.
– Do not modify, rename or delete *.key.k6thw files. Your data will be undecryptable.
– Do not modify or rename encrypted files. You will lose them.
– Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased.
– Do not reject to purchase. Your sensitive data will be publicly disclosed.

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

Increased Truebot Activity Infects U.S. and Canada Based Networks

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) are releasing this joint Cybersecurity Advisory...