www.microsoft.com Open in urlscan Pro
2a02:26f0:10e:398::356e Public Scan

Back to summary

Submitted URL:
http://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/
Effective URL:
https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/
Submission: On September 15 via api (September 15th 2022, 11:39:24 am UTC) from US — Scanned from DE

Form analysis
1 forms found in the DOM

Name: searchForm — GET https://www.microsoft.com/en-us/security/site-search

<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/security/site-search" method="GET" data-seautosuggest=""
  data-seautosuggestapi="https://www.microsoft.com/msstoreapiprod/api/autosuggest"
  data-m="{&quot;cN&quot;:&quot;GlobalNav_Search_cont&quot;,&quot;cT&quot;:&quot;Container&quot;,&quot;id&quot;:&quot;c3c1c9c3c1m1r1a1&quot;,&quot;sN&quot;:3,&quot;aN&quot;:&quot;c1c9c3c1m1r1a1&quot;}" aria-expanded="false"
  style="overflow-x: visible;">
  <div class="x-screen-reader" aria-live="assertive"></div>
  <input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-autocomplete="list" aria-expanded="false" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search"
    name="q" role="combobox" placeholder="Search Microsoft Security" data-m="{&quot;cN&quot;:&quot;SearchBox_nav&quot;,&quot;id&quot;:&quot;n1c3c1c9c3c1m1r1a1&quot;,&quot;sN&quot;:1,&quot;aN&quot;:&quot;c3c1c9c3c1m1r1a1&quot;}" data-toggle="tooltip"
    data-placement="right" title="Search Microsoft Security" style="overflow-x: visible;">
  <button id="search" aria-label="Search Microsoft Security" class="c-glyph" data-m="{&quot;cN&quot;:&quot;Search_nav&quot;,&quot;id&quot;:&quot;n2c3c1c9c3c1m1r1a1&quot;,&quot;sN&quot;:2,&quot;aN&quot;:&quot;c3c1c9c3c1m1r1a1&quot;}"
    data-bi-mto="true" aria-expanded="false" style="overflow-x: visible;">
    <span role="presentation" style="overflow-x: visible;">Search</span>
    <span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft Security</span>
  </button>
  <div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
    <ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
      data-m="{&quot;cN&quot;:&quot;search suggestions_cont&quot;,&quot;cT&quot;:&quot;Container&quot;,&quot;id&quot;:&quot;c3c3c1c9c3c1m1r1a1&quot;,&quot;sN&quot;:3,&quot;aN&quot;:&quot;c3c1c9c3c1m1r1a1&quot;}" style="overflow-x: visible;"></ul>
  </div>
</form>

Text Content

We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies

Accept Reject Manage cookies
Skip to main content
Microsoft Edge is the only browser optimized for Windows. Maximize your PC
performance with features like Sleeping Tabs and Startup Boost.
Close Switch now
Skip to main content
Microsoft
Microsoft Security
Microsoft Security
Microsoft Security
* Home
* Solutions
* Cloud security
* Frontline workers
* Identity & access
* Industrial & critical infrastructure
* Information protection & governance
* IoT security
* Passwordless authentication
* Phishing
* Ransomware
* Risk management
* Secure remote work
* SIEM & XDR
* Small & medium business
* Zero Trust

* Products
* Product families Product families
* Microsoft Defender
* Microsoft Entra
* Microsoft Purview
* Identity & access Identity & access
* Azure Active Directory part of Microsoft Entra
* Microsoft Entra Permissions Management
* Microsoft Entra Verified ID
* Azure Key Vault
* SIEM & XDR SIEM & XDR
* Microsoft Sentinel
* Microsoft Defender for Cloud
* Microsoft 365 Defender
* Microsoft Defender for Endpoint
* Microsoft Defender for Office 365
* Microsoft Defender for Identity
* Microsoft Defender for Cloud Apps
* Microsoft Defender Vulnerability Management
* Microsoft Defender Threat Intelligence
* Cloud security Cloud security
* Microsoft Defender for Cloud
* Microsoft Defender External Attack Surface Management
* Azure Firewall
* Azure Web App Firewall
* Azure DDoS Protection
* GitHub Advanced Security
* Endpoint security Endpoint security
* Microsoft 365 Defender
* Microsoft Defender for Endpoint
* Microsoft Defender for IoT
* Microsoft Defender for Business
* Microsoft Defender Vulnerability Management
* Risk management & privacy Risk management & privacy
* Microsoft Purview Insider Risk Management
* Microsoft Purview Communication Compliance
* Microsoft Purview eDiscovery
* Microsoft Purview Compliance Manager
* Microsoft Purview Audit
* Microsoft Priva Risk Management
* Microsoft Priva Subject Rights Requests
* Information protection Information protection
* Microsoft Purview Information Protection
* Microsoft Purview Data Lifecycle Management
* Microsoft Purview Data Loss Prevention
* Device management Device management
* Microsoft Endpoint Manager

* Services
* Microsoft Security Experts
* Microsoft Defender Experts for Hunting
* Microsoft Security Services for Enterprise
* Microsoft Security Services for Incident Response
* Microsoft Security Services for Modernization

* Partners
* Resources
* Get started Get started
* Customer stories
* Security 101
* Product trials
* How we protect Microsoft
* Reports and analysis Reports and analysis
* Industry recognition
* Microsoft Security Insider
* Microsoft Digital Defense Report
* Security Response Center
* Community Community
* Microsoft Security Blog
* Microsoft Security Events
* Microsoft Tech Community
* Documentation and training Documentation and training
* Documentation
* Technical Content Library
* Training & certifications
* Additional sites Additional sites
* Compliance Program for Microsoft Cloud
* Microsoft Trust Center
* Security Engineering Portal
* Service Trust Portal

* Contact sales
* More
* Start free trial

* All Microsoft
* * Microsoft Security
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Teams
* Windows 365
* Tech & innovation Tech & innovation
* Microsoft Cloud
* AI
* Azure Space
* Mixed reality
* Microsoft HoloLens
* Microsoft Viva
* Quantum computing
* Sustainability
* Industries Industries
* Education
* Automotive
* Financial services
* Government
* Healthcare
* Manufacturing
* Retail
* All industries
* Partners Partners
* Find a partner
* Become a partner
* Partner Network
* Find an advertising partner
* Become an advertising partner
* Azure Marketplace
* AppSource
* Resources Resources
* Blog
* Microsoft Advertising
* Developer Center
* Documentation
* Events
* Licensing
* Microsoft Learn
* Microsoft Research
* View Sitemap

Search Search Microsoft Security

Cancel
July 5, 2022 • 16 min read

HIVE RANSOMWARE GETS UPGRADES IN RUST

* Microsoft Threat Intelligence Center (MSTIC)

Share
* Twitter
* LinkedIn
* Facebook
* Email
* Print

Hive ransomware is only about one year old, having been first observed in June
2021, but it has grown into one of the most prevalent ransomware payloads in the
ransomware as a service (RaaS) ecosystem. With its latest variant carrying
several major upgrades, Hive also proves it’s one of the fastest evolving
ransomware families, exemplifying the continuously changing ransomware
ecosystem.

The upgrades in the latest variant are effectively an overhaul: the most notable
changes include a full code migration to another programming language and the
use of a more complex encryption method. The impact of these updates is
far-reaching, considering that Hive is a RaaS payload that Microsoft has
observed in attacks against organizations in the healthcare and software
industries by large ransomware affiliates like DEV-0237.

Microsoft Threat Intelligence Center (MSTIC) discovered the new variant while
analyzing detected Hive ransomware techniques for dropping .key files. We know
that Hive drops its encryption keys file, which contains encrypted keys used to
decrypt encrypted files, and uses a consistent naming pattern:

[KEY_NAME].key.[VICTIM_IDENTIFIER]
(e.g., BiKtPupMjgyESaene0Ge5d0231uiKq1PFMFUEBNhAYv_.key.ab123)

The said .key files were missing the [VICTIM_IDENTIFIER] part of the file name,
prompting deeper analysis of the Hive ransomware that dropped them. This
analysis led to the discovery of the new Hive variant and its multiple versions,
which exhibit slightly different available parameters in the command line and
the executed processes.

Analyzing these patterns in samples of the new variants, we discovered even more
samples, all with a low detection rate and none being correctly identified as
Hive. In this blog we will share our in-depth analysis of the new Hive variant,
including its main features and upgrades, with the aim of equipping analysts and
defenders with information to better identify and protect organizations against
malware attacks relying on Hive.

ANALYSIS AND KEY FINDINGS

THE SWITCH FROM GOLANG TO RUST

The main difference between the new Hive variant and old ones is the programming
language used. The old variants were written in Go (also referred to as GoLang),
while the new Hive variant is written in Rust.

Hive isn’t the first ransomware written in Rust—BlackCat, another prevalent
ransomware, was the first. By switching the underlying code to Rust, Hive
benefits from the following advantages that Rust has over other programming
languages:

* It offers memory, data type, and thread safety
* It has deep control over low-level resources
* It has a user-friendly syntax
* It has several mechanisms for concurrency and parallelism, thus enabling fast
and safe file encryption
* It has a good variety of cryptographic libraries
* It’s relatively more difficult to reverse-engineer

STRING ENCRYPTION

The new Hive variant uses string encryption that can make it more evasive.
Strings reside in the .rdata section and are decrypted during runtime by XORing
with constants. The constants that are used to decrypt the same string sometimes
differ across samples, making them an unreliable basis for detection.

For example, let’s look at the section where part of the string “!error no flag
-u <login>:<password> provided” is decrypted. In one sample (SHA-256:
f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3), the constants
are 0x9F2E3F1F and 0x95C9:

Figure 1 – String decryption using constants 0x9F2E3F1F and 0x95C9

In another sample (SHA-256:
6e5d49f604730ef4c05cfe3f64a7790242e71b4ecf1dc5109d32e811acf0b053), the constants
are 0x3ECF7CC4 and 0x198F:

Figure 2 – String decryption using constants 0x3ECF7CC4 and 0x198F

Some samples do share constants when decrypting the same string. For example,
let’s look where the parameter string “-da” is decrypted. In one sample
(SHA-256: 88b1d8a85bf9101bc336b01b9af4345ed91d3ec761554d167fe59f73af73f037), the
constants are 0x71B4 and 2:

Figure 3 – String decryption using constants 0x71B4 and 2

In another sample (SHA-256:
33744c420884adf582c46a4b74cbd9c145f2e15a036bb1e557e89d6fd428e724), the constants
are the same:

Figure 4 – String decryption in a different sample also using constants 0x71B4
and 2

COMMAND-LINE PARAMETERS

In old Hive variants, the username and the password used to access the Hive
ransom payment website are embedded in the samples. In the new variant, these
credentials must be supplied in the command line under the “-u” parameter, which
means that they can’t be obtained by analysts from the sample itself.

Figure 5 – Without a username and a password, the sample won’t continue its
execution

Like most modern ransomware, Hive introduces command-line parameters, which
allow attackers flexibility when running the payload by adding or removing
functionality. For example, an attacker can choose to encrypt files on remote
shares or local files only or select the minimum file size for encryption. In
the new Hive variant, we found the following parameters across different
samples:

ParameterFunctionality-no-localDon’t encrypt local files-no-mountedDon’t encrypt
files on mounted network shares-no-discoveryDon’t discover network
shares-local-onlyEncrypt only local files-network-onlyEncrypt only files on
network shares-explicit-onlyEncrypt specific folder(s). For example,
‘-explicit-only c:\mydocs c:\myphotos’-min-sizeMinimum file size, in bytes, to
encrypt. For example, ‘-min-size 102400’ will encrypt files with size equal or
greater than 100kb-da[Usage is being analyzed.]-f[Usage is being
analyzed.]-force[Usage is being analyzed.]-wmi[Usage is being analyzed.]

Overall, it appears different versions have different parameters that are
constantly updated. Unlike in previous variants where there was a ‘help’ menu,
in the new variant, the attacker must know the parameters beforehand. Since all
strings are encrypted, it makes finding the parameters challenging for security
researchers.

STOPPED SERVICES AND PROCESSES

Like most sophisticated malware, Hive stops services and processes associated
with security solutions and other tools that might get in the way of its attack
chain. Hive tries to impersonate the process tokens of trustedinstaller.exe and
winlogon.exe so it can stop Microsoft Defender Antivirus, among other services.

Hive stops the following services:

windefend, msmpsvc, kavsvc, antivirservice, zhudongfungyu, vmm, vmwp, sql, sap, oracle, mepocs, veeam, backup, vss, msexchange, mysql, sophos, pdfservice, backupexec, gxblr, gxvss, gxclmgrs, gxvcd, gxcimgr, gxmmm, gxvsshwprov, gxfwd, sap, qbcfmonitorservice, qbidpservice, acronisagent, veeam, mvarmor, acrsch2svc

It also stops the following processes:

dbsnmp, dbeng50, bedbh, excel, encsvc, visios, firefox, isqlplussvc, mspub, mydesktopqos, notepad, ocautoupds, ocomm, ocssd, onenote, outlook, sqbcoreservice, sql, steam, tbirdconfig, thunderbird, winword, wordpad, xfssvccon, vxmon, benetns, bengien, pvlsvr, raw_agent_svc, cagservice, sap, qbidpservice, qbcfmonitorservice, teamviewer_service, teamviewer, tv_w32, tv_x64, cvd, saphostexec, sapstartsrv, avscc, dellsystemdetect, enterpriseclient, veeam, thebat, cvfwd, cvods, vsnapvss, msaccess, vaultsvc, beserver, appinfo, qbdmgrn, avagent, spooler, powerpnt, cvmountd, synctime, oracle, wscsvc, winmgmt, *sql*

LAUNCHED PROCESSES

As part of its ransomware activity, Hive typically runs processes that delete
backups and prevent recovery. There are differences between versions, and some
samples may not execute all these processes, but one sample that starts the most
processes is SHA-256:
481dc99903aa270d286f559b17194b1a25deca8a64a5ec4f13a066637900221e:

* “vssadmin.exe delete shadows /all /quiet”
* “wmic.exe shadowcopy delete”
* “wbadmin.exe delete systemstatebackup”
* “wbadmin.exe delete catalog -quiet”
* “bcdedit.exe /set {default} recoveryenabled No”
* “bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”
* “wbadmin.exe delete systemstatebackup -keepVersions:3”

RANSOM NOTE

Hive’s ransom note has also changed, with the new version referencing the .key
files with their new file name convention and adding a sentence about virtual
machines (VMs).

The older variants had an embedded username and password (marked as hidden). In
the new variant, the username and password are taken from the command line
parameter -u and are labeled test_hive_username and test_hive_password.

Old ransom note text:

Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.

To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hive[REDACTED].onion/
you will need to purchase our decryption software.

Please contact our sales department at:

http://hive[REDACTED].onion/

To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)

Follow the guidelines below to avoid losing your data:

- Do not modify, rename or delete *.key.abc12 files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.

New ransom note text:

Your network has been breached and all data were encrypted.
Personal data, financial reports and important documents are ready to disclose.

To decrypt all the data and to prevent exfiltrated files to be disclosed at
http://hive[REDACTED].onion/
you will need to purchase our decryption software.

Please contact our sales department at:

http://hive[REDACTED].onion/

To get an access to .onion websites download and install Tor Browser at:
https://www.torproject.org/ (Tor Browser is not related to us)

Follow the guidelines below to avoid losing your data:

- Do not delete or reinstall VMs. There will be nothing to decrypt.
- Do not modify, rename or delete *.key files. Your data will be
undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the Police, FBI, etc. They don't care about your business.
They simply won't allow you to pay. As a result you will lose everything.
- Do not hire a recovery company. They can't decrypt without the key.
They also don't care about your business. They believe that they are
good negotiators, but it is not. They usually fail. So speak for yourself.
- Do not reject to purchase. Exfiltrated files will be publicly disclosed.

ENCRYPTION

The most interesting change in the Hive variant is its cryptography mechanism.
The new variant was first uploaded to VirusTotal on February 21, 2022, just a
few days after a group of researchers from Kookmin University in South Korea
published the paper “A Method for Decrypting Data Infected with Hive Ransomware”
on February 17, 2022. After a certain period of development, the new variant
first appeared in Microsoft threat data on February 22.

The new variant uses a different set of algorithms: Elliptic Curve
Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated
encryption with ChaCha20 symmetric cipher).

A unique encryption approach

The new Hive variant uses a unique approach to file encryption. Instead of
embedding an encrypted key in each file that it encrypts, it generates two sets
of keys in memory, uses them to encrypt files, and then encrypts and writes the
sets to the root of the drive it encrypts, both with .key extension.

To indicate which keys set was used to encrypt a file, the name of the .key file
containing the corresponding encryption keys is added to the name of the
encrypted file on disk, followed by an underscore and then a Base64 string (also
adding underscore and hyphen to the character set). Once it’s Base64-decoded,
the string contains two offsets, with each offset pointing to a different
location in the corresponding .key file. This way, the attacker can decrypt the
file using these offsets.

For example, after running Hive, we got the following files dropped to the C:\
drive:

* C:\3bcVwj6j.key
* C:\l0Zn68cb.key

In this example, a file named myphoto.jpg would be renamed to
C:\myphoto.jpg.l0Zn68cb _ -B82BhIaGhI8. As we discuss in the following sections,
the new variant’s keys set generation is entirely different from old variants.
However, its actual file encryption is very similar.

Keys set generation

A buffer of size 0xCFFF00 bytes is allocated. Using two custom functions to
generate random bytes (labeled “random_num_gen” and “random_num_gen_2” for
demonstration purposes) the buffer is filled. The first 0xA00000 bytes of this
buffer are filled with random bytes and the remaining 0x2FFF00 bytes are simply
copied from the first 0x2FFF00 random bytes that were copied earlier to the
buffer.

The content of each buffer is a keys set (a collection of symmetric keys). Since
two buffers are allocated, there are two keys sets. In the encryption process,
the malware randomly selects different keys (byte sequences) for each file from
one of the keys set and uses them to encrypt the file by XORing the byte
sequence of the keys with the file’s content.

Figure 6 – Original keys set generation Figure 7 – Inside get_random_byte

A custom 64-byte hash is prepared for each keys set. This hash will be used
later.

Figure 8 – Preparing the custom hash of the keys set

After the hash is computed and several other strings are decrypted, the
encryption process takes the following steps:

1. Generate victim_private_key using the same functions introduced above.

Figure 9 – Generating victim_private_key
2. Generate victim_public_key using ECDH with Curve25519. The input is
victim_private_key and the basepoint is 9 followed by 31 zeros (embedded in
the sample).

Figure 10 – Generating victim_public_key
3. Generate a 24-byte nonce for the XChaCha algorithm, later in
Poly1305-XChaCha20.

Figure 11 – Generating a 24-byte nonce
4. Generate shared_secret using ECDH with Curve25519. The input is
victim_private_key and hive_public_key. Then, the shared_secret (as a key)
with hive_public_key (as a nonce) is used to derive the derived_key using
ChaCha20.

Figure 12 – Generating shared_secret
5. Encrypt the keys set using Poly1305-XChaCha20. The values used for the
encryption are the keys set, derived_key, nonce, and the embedded associated
data (AD). This function encrypts the keys set and adds a 16-byte
authentication tag at the end of the buffer of the encrypted keys. It’s
unclear if the authentication tag is ever checked.

Figure 13 – Encrypting the keys set

Now that the keys set is finally encrypted, the nonce, victim_public_key, the
now-encrypted keys set, and the authentication tag are copied to a new buffer,
one after another. This buffer (which we label encrypted_structure_1) is treated
as a new keys set, which is again encrypted using the same method described
above but with a second hive_public_key. This time, the function outputs new
nonce, victim_private_key, and others. Only the associated data is the same.

Finally, the new buffer, which contains the second_nonce,
second_victim_public_key, and the encryptedencrypted_structure_1, is written to
the root of the drive it’s encrypting (for example, C:\). The create_extension
function generates a Base64 string based on the first six bytes of the custom
hash that was created earlier. This Base64 string serves as the file name, and
the extension of the file is simply “.key”.

Figure 14 – Generating a Base64 string based on the first six bytes of the
custom hash Figure 15 – Using the Base64 string as the file name

The diagram below illustrates the encryption scheme described above:

Figure 16 – The keys set encryption scheme of the new Hive variant

As seen in the diagram above, “Keys sets encryption flow” is executed twice. In
the first round it is executed with the original keys set as an input. In the
second round it is executed with the “encrypted structure 1” as an input. In its
second execution, all other input values are different except the AD (associated
data) and the Basepoint 9.

Hence, the following values are new in the second execution: victim_private_key,
victim_public_key, hive_public_key, nonce, shared_secret and derived_key.

File encryption

After both keys files are written to the disk, the multi-threaded file
encryption starts. Before encrypting each file, the malware checks its name and
extension against a list of strings. If there is a match, then the file will not
be encrypted. For example, a file with .exe extension will not be encrypted if
.exe is in the list of strings. It should be noted that this list is encrypted
and decrypted during runtime.

The same file encryption method seen in old variants is used in the new one: two
random numbers are generated and used as offsets to the keys set. Each offset is
four bytes:

Figure 17 – Generating the offsets

For the encryption, the file’s content is XORed with bytes from the keys set,
according to the offsets. The file bytes are XORed twice—once according to the
first offset and a second time according to the second offset. Files are
encrypted in blocks of 0x100000 bytes, with the maximum number of blocks at 100.
There is an interval between the encrypted blocks as defined by block_space.
After the encryption is finished in memory, the encrypted data is written to the
disk, overwriting the original file.

Figure 18 – Calculation of number of blocks Figure 19 – Actual encryption of the
file bytes Figure 20 – Reading a file, encrypting it, and writing it back to the
disk

Looking at when create_extension is called once file encryption has started, we
recognized a similar structure in the previous variant:

Figure 21 – Creating the extension for the file

Let us look at the value (72 D7 A7 A3 F5 5B FF EF 21 6B 11 7C 2A 18 CD 00) in
the address of r9 register just before create_extension is called on a file
called EDBtmp.log

Recall that in the older variants, 0xFF was used as a delimiter to separate the
key file name from the offset values. We can also see it here. Converting the
first six bytes (72 D7 A7 A3 F5 5B) to Base64 yields the following:

cteno/Vb

And if we step over create_extension, the result is similar—we get cteno_Vb as
the .key file name (note: Since Hive uses a different Base64 character set, “/”
was replaced with “_”):

Microsoft will continue to monitor the Hive operators’ activity and implement
protections for our customers. The current detections, advanced detections, and
indicators of compromise (IOCs) in place across our security products are
detailed below.

RECOMMENDED CUSTOMER ACTIONS

The techniques used by the new Hive variant can be mitigated by adopting the
security considerations provided below:

* Use the included IOCs to investigate whether they exist in your environment
and assess for potential intrusion.

Our recent blog on the ransomware as a service economy has an exhaustive guide
on how to protect yourself from ransomware threats that dive deep into each of
the following areas. We encourage readers to refer to that blog for a
comprehensive guide on:

* Building credential hygiene
* Auditing credential exposure
* Prioritizing deployment of Active Directory updates
* Cloud hardening
* Implement the Azure Security Benchmark and general best practices for
securing identity infrastructure.
* Ensure cloud admins/tenant admins are treated with the same level of
security and credential hygiene as Domain Admins.
* Address gaps in authentication coverage.
* Enforce MFA on all accounts, remove users excluded from MFA, and strictly
require MFA from all devices, in all locations, at all times.
* Enable passwordless authentication methods (for example, Windows Hello, FIDO
keys, or Microsoft Authenticator) for accounts that support passwordless. For
accounts that still require passwords, use authenticator apps like Microsoft
Authenticator for MFA.
* Disable legacy authentication.

For Microsoft 365 Defender customers, the following checklist eliminates
security blind spots:

* Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover
rapidly evolving attacker tools and techniques, block new and unknown malware
variants, and enhance attack surface reduction rules and tamper protection.
* Turn on tamper protection features to prevent attackers from stopping
security services.
* Run EDR in block mode so that Microsoft Defender for Endpoint can block
malicious artifacts, even when a non-Microsoft antivirus doesn’t detect the
threat or when Microsoft Defender Antivirus is running in passive mode. EDR
in block mode also blocks indicators identified proactively by Microsoft
Threat Intelligence teams.
* Enable network protection to prevent applications or users from accessing
malicious domains and other malicious content on the internet.
* Enable investigation and remediation in full automated mode to allow
Microsoft Defender for Endpoint to take immediate action on alerts to resolve
breaches.
* Use device discovery to increase visibility into the network by finding
unmanaged devices and onboarding them to Microsoft Defender for Endpoint.
* Protect user identities and credentials using Microsoft Defender for
Identity, a cloud-based security solution that leverages on-premises Active
Directory signals to monitor and analyze user behavior to identify suspicious
user activities, configuration issues, and active attacks.

INDICATORS OF COMPROMISE (IOCS)

The below list provides a partial list of the IOCs observed during our
investigation and included in this blog. We encourage our customers to
investigate these indicators in their environments and implement detections and
protections to identify past related activity and prevent future attacks against
their systems.

IndicatorTypeDescriptionf4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3SHA-256Hive
Rust variant
payload88b1d8a85bf9101bc336b01b9af4345ed91d3ec761554d167fe59f73af73f037SHA-256Hive
Rust variant
payload065208b037a2691eb75a14f97bdbd9914122655d42f6249d2cca419a1e4ba6f1SHA-256Hive
Rust variant
payload33744c420884adf582c46a4b74cbd9c145f2e15a036bb1e557e89d6fd428e724SHA-256Hive
Rust variant
payloadafab34235b7f170150f180c7afb9e3b4e504a84559bbd03ab71e64e3b6541149SHA-256Hive
Rust variant
payload36759cab7043cd7561ac6c3968832b30c9a442eff4d536e901d4ff70aef4d32dSHA-256Hive
Rust variant
payload481dc99903aa270d286f559b17194b1a25deca8a64a5ec4f13a066637900221eSHA-256Hive
Rust variant
payload6e5d49f604730ef4c05cfe3f64a7790242e71b4ecf1dc5109d32e811acf0b053SHA-256Hive
Rust variant
payload32ff0e5d87ec16544b6ff936d6fd58023925c3bdabaf962c492f6b078cb01914SHA-256Hive
Rust variant payload

NOTE: These indicators shouldn’t be considered exhaustive for this observed
activity.

DETECTIONS

MICROSOFT 365 DEFENDER

Microsoft Defender Antivirus

Microsoft Defender Antivirus provides detection for this threat under the
following family names with build version 1.367.405.0 or later.

* Ransom:Win64/Hive
* Ransom:Win32/Hive

Microsoft Defender for Endpoint detection

Microsoft Defender for Endpoint customers may see any or a combination of the
following alerts as an indication of possible attack. These alerts are not
necessarily an indication of a Hive compromise, but should be investigated:

* Ransomware behavior detected in the file system
* File backups were deleted
* Possible ransomware infection modifying multiple files
* Possible ransomware activity
* Ransomware-linked emerging threat activity group detected

ADVANCED HUNTING QUERIES

MICROSOFT SENTINEL

To locate possible Hive ransomware activity mentioned in this blog post,
Microsoft Sentinel customers can use the queries detailed below:

Identify Hive ransomware IOCs

This query identifies a match across various data feeds for IOCs related to Hive
ransomware.

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/HiveRansomwareJuly2022.yaml

Identify backup deletion

This hunting query helps detect a ransomware’s attempt to delete backup files.

https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/BackupDeletion.yaml

Identify Microsoft Defender Antivirus detection of Hive ransomware

This query looks for Microsoft Defender Antivirus detections related to the Hive
ransomware and joins the alert with other data sources to surface additional
information such as device, IP, signed-in users, etc.

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/HiveRansomwareAVHits.yaml

FILED UNDER:

* Cybersecurity

www.microsoft.com Open in urlscan Pro 2a02:26f0:10e:398::356e Public Scan

Form analysis 1 forms found in the DOM

Name: searchForm — GET https://www.microsoft.com/en-us/security/site-search

Text Content

www.microsoft.com Open in urlscan Pro
2a02:26f0:10e:398::356e Public Scan

Form analysis
1 forms found in the DOM