Threats from Hive ransomware have been identified as recently as earlier this month and CISA advises that organizations implement recommendations to mitigate the risk of an attack from Hive Ransomware from alert AA22-321A.
As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide and have extorted organizations for up to $100 million in ransom payments, according to information from the FBI. The actors behind Hive ransomware have targeted several sectors of critical infrastructure, including Government, Manufacturing, and IT and have focused on Healthcare and Public Health.
Their methods of intrusion have included:
- RDP logins
- Bypassing MFA
- Exploiting Microsoft Exchange Server Security Feature Bypass Vulnerability
- Exploiting Microsoft Exchange Server Remote Code Execution Vulnerability
- Exploiting Microsoft Exchange Server Privilege Escalation Vulnerability
Hive ransomware attempts to terminate the process for backups and anti-virus, stop volume show copy services and remove all existing shadow copies via the admin on the command line or via PowerShell, and deletes Windows event logs in the System, Security and Application logs. Their ransom notes are dropped into each affected directory and states that the files can’t be renamed or deleted otherwise the files they encrypt cannot be recovered. Some victims are contacted through a TOR browser to discuss paying for files, though some have reported receiving phone calls and emails with Hive actors to discuss payment directly.
Recommended mitigations include: verifying that Hive actors no longer have access to the network, installing operating and software updates, securing and monitoring RDP, limiting admin access, maintaining offline backups of data, ensuring backup data is encrypted and not already infected, enabling PowerShell Logging and continuous threat monitoring.
Victims of ransomware operations should report the incident to their local FBI field office or CISA.
SecuLore™ OverWatch provides 24/7/365 network monitoring through our patented Paladin™ technology to detect vulnerabilities in your network and detect anomalous behavior. The technology passively captures all traffic on your network to identify threats that are often missed by other layers of security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
The FCC recommends all organizations have a vulnerability risk assessment completed every 90 days. SecuLore’s™ CyberBenchmark fulfills policy requirements and helps you understand where your network is vulnerable, as well as providing actionable remediation recommendations to help protect your network.
SecuLore Support Team