One of the most prolific ransomware groups to affect healthcare facilities, nonprofits, retailers, energy providers, and other sectors, with a total of more than 1,300 institutions hit by the ransomware group worldwide and a profit of $100 million in ransom payments, Hive Ransomware has been ruling the roost since June 2021. Read on to find out what Securin experts uncovered when they revisited HIVE and their attack tactics and techniques, and what organizations can do to remain safe from future attacks.

Since they burst into the limelight in June 2021 with an attack on Europe’s largest consumer electronics retailer, MediaMarkt, HIVE ransomware has targeted a wide range of businesses – more than 1300 – including government facilities, critical manufacturing, information technology, telecommunications providers and healthcare and public health sectors.  

The HIVE ransomware gang’s aggressive activities bumped the group into the big league of the most dangerous ransomware groups, with a daily average of three companies being targeted since June 2021. Within the span of four months between August and November 2021, HIVE ransomware had infiltrated more than 350 organizations worldwide. 

In This Article:

Deconstructing HIVE Ransomware’s Honeycomb

Securin cybersecurity analysts first observed HIVE ransomware, an affiliate-based ransomware variant used by cyber attackers, in June 2021. The Hive ransomware-as-a-service operation is built around a team of developers who create and manage the malware, and affiliates who carry out attacks on target networks by purchasing domains from initial access brokers. 

The HIVE operators carry out a standard double-extortion ransomware attack on its targets, where cybercriminals steal sensitive files, encrypt systems, and then threaten to publish the victim’s data unless a ransom is paid. 

Figure 1: Screenshot of HIVE ransomware’s leak page for their latest attack on CHC in January 2023

HIVE Ransomware Cheat Sheet

Securin experts observed that HIVE ransomware gains access to a network and then spreads laterally through it while continuing to steal unencrypted files. They deploy their ransomware to encrypt all devices when they eventually gain admin access on a Windows domain controller. The HIVE group then seeks out and deletes backups in order to prevent victims from recovering their data. 

Here is a detailed analysis of the vulnerabilities exploited by HIVE ransomware in their attacks. Our experts also used Securin’s Vulnerability Intelligence platform for predictive analysis to identify the vulnerabilities and how likely they are to be exploited in future attacks. Securin’s Vulnerability Risk Score (VRS) tries to fill the gaps created by CVSS v2 and v3 scores, by arriving at a consistent scoring methodology which analysts can use directly for faster prioritization. 

Let us take a deeper insight into the vulnerabilities associated with Hive:

CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Vulnerability - 13 Ransomware / 7 APT - CISA KEV, Trending

This CVE was initially published on May 11, 2021, soon after which, on October 2, 2021, Securin’s Vulnerability Intelligence platform tagged it as extremely critical and assigned it the highest predictive score of 38.46. The DHS CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on November 3, 2021, after it was found to be exploited in the wild. The vulnerability remained in trend, and has been actively trending in the last week or two. 

Figure 2: Securin’s VI platform tagged CVE-2021-31207 as extremely critical and assigned it the highest predictive score of 38.46.

CVE-2021-31207 has an initial CVSS v2 score of just 6.50 and is tagged as a medium severity vulnerability, in spite of being in the CISA KEV catalog and having been exploited by 12 ransomware families and eight APT groups. Considering the exploitation impact of this vulnerability, Securin VRS scores it at 9.06, marking it as a critical-severity vulnerability to watch out for.

CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability - 12 Ransomware / 8 APT - CISA KEV, Trending

This CVE was initially published on July 13, 2021, after which, on October 2, 2021, Securin’s Vulnerability Intelligence platform tagged it as extremely critical and assigned it the highest predictive score of 38.46. The DHS CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on November 3, 2021, a month after it was found to be exploited in the wild. The vulnerability remained in trend, and has been actively trending in the last week or two. 

Figure 3: Securin’s VI platform tagged CVE-2021-34473 as extremely critical and assigned it the highest predictive score of 38.46

CVE-2021-34473 has an initial CVSS v2 score of 10.0 but its criticality is brought down slightly to 9.80 in the CVSS v3 score. The vulnerability has been exploited by 12 ransomware families and eight APT groups, as a result of which, the exploitation impact of the vulnerability garners it a VRS score of 9.96.

CVE-2021-34523 - Microsoft Exchange Server Privilege Escalation Vulnerability - 12 Ransomware / 8 APT - CISA KEV, Trending

This CVE was initially published on July 13, 2021, after which Securin’s Vulnerability Intelligence platform tagged it as extremely critical and assigned it the highest predictive score of 38.46 on July 19, 2021. The DHS CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on November 3, 2021, a little under a month after it was found to be exploited in the wild. The vulnerability has been trending actively ever since. 

Fig 4: Securin’s VI platform tagged CVE-2021-34523 as extremely critical and assigned it the highest predictive score of 38.46

CVE-2021-34523 has an initial CVSS v2 score of just 7.50, tagging it as a medium-severity vulnerability, and subsequently the CVSS v3 score was increased to 9.80 post exploitation. This vulnerability too has been exploited by 12 ransomware families and eight APT groups, thereby garnering a VRS score of 9.96, emphasizing the criticality of the vulnerability.

CVE-2021-42321 - Microsoft Exchange Server Remote Code Execution Vulnerability - 1 Ransomware / 1 APT - CISA KEV, Trending

This CVE was initially published on November 9, 2021. The first exploits were found on November 17, following which, the DHS CISA added the vulnerability to the KEV catalog. Securin’s Vulnerability Intelligence platform tagged it as extremely critical and assigned it the highest predictive score of 38.46 on November 30, 2021. 

Fig 5: Securin’s VI platform tagged CVE-2021-42321 as extremely critical and assigned it the highest predictive score of 38.46

CVE-2021-42321 had an initial CVSS v2 score of a meager 6.50, marking it as a medium-severity vulnerability. Since the vulnerability has been chained with the ProxyShell vulnerabilities, the vulnerability has a high exploitation impact, resulting in the Securin VRS score of 9.58.

CVE-2020-12812 - An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below. o- 2 Ransomware / 0 APT - KEV, Trending

This CVE was initially published on July 24, 2020. In early August 2021, the first active exploits were observed by our experts, soon after which Securin’s Vulnerability Intelligence platform tagged it as critical and assigned it the highest predictive score of 38.46 on August 04, 2020. The DHS CISA added the vulnerability to the Known Exploited Vulnerabilities catalog only on November 3, 2021, approximately fifteen months after our VI platform had recognized the likelihood of future exploits using this vulnerability. 

Fig 5: Securin’s VI platform tagged CVE-2020-12812 as extremely critical and assigned it the highest predictive score of 38.46

CVE-2020-12812 has an initial CVSS v2 score of 7.50 and was upgraded to a CVSS v3 score of 9.8 later after active exploits were found. Securin’s VI platform however assigned it a lower score of 8.80 because in spite of being exploited in the wild, we do not have sufficient information to suggest if this improper authentication vulnerability can be accessed remotely by a threat actor, or can lead to privilege escalation. 

CVSS vs VRS Scoring Comparison
CVE-2021-33558 - Boa Web Server version 0.94.13 - 1 Ransomware / 1 APT - Trending

This CVE was initially published in May 2021. It was not until November 23, 2021, that Hive ransomware exploited the Boa server vulnerability to target energy grids in India. 

Securin experts feel this vulnerability should be added to the DHS CISA’s Known Exploited Vulnerabilities catalog. 

Fig 6: Securin’s VI platform assigned CVE-2021-33558 a score of 8.56

CVE-2021-33558 had an initial CVSS v2 score of just 5.00 and was upgraded to a CVSS v3 score of 7.50 after it was exploited. Although sufficient information is not available for the vulnerability, Securin’s VI platform assigned it a score of 8.56, since it was actively exploited by Hive ransomware and RedEcho APT. 

This vulnerability, though trending since 2021, is not detectable by any of the popular cybersecurity scanners – Nessus, Nexpose and Qualys – that organizations depend on so greatly to keep their attack surface secure.

CVSS and VRS Scoring Comparison
CVE-2017-9833 - Boa Web Server version 0.94.14rc21 - 1 Ransomware / 1 APT - Trending

This CVE was first exploited in June 2017, following which, it was published on June 24, 2017. According to Securin’s Vulnerability Intelligence platform, the VRS scores reached the maximum score of 38.46 in May 2020. However, in spite of its likelihood of being used in attacks by threat actors, DHS CISA still has not added the vulnerability to its catalog. 

Fig 7: Securin’s VI platform tagged CVE-2017-9833 as extremely critical and assigned the highest predictive score of 38.46

CVE-2017-9833 had an initial CVSS v2 score of 7.80 but was demoted to a CVSS v3 score of 7.50. However, since the vulnerability has been exploited actively by Hive ransomware and RedEcho APT, many years after it was discovered, our Securin VI platform has assigned it a VRS score of 9.23.

CVSS v2 and VRS Scoring Comparison

History of HIVE Ransomware Attacks

The end of 2022 saw an influx of ransomware attacks reported targeting the education sector. Approximately five of the 24 ransomware attacks that were disclosed and confirmed in November and December 2022, were against K-12 schools and universities.

The Hive ransomware group, invariably, claimed responsibility for a couple of attacks, by leaking the date on their public leak site. 

Note: The list of attacks carried out by HIVE can be found at the end of the article.

Interesting Trends

  1. Customer Service:

The HIVE ransomware gang allows its victims to contact a sales representative in their operation through a ‘customer service’ link provided at the time of encryption. This connects the victim directly to a live chat with a HIVE executive who then tries to negotiate a ransom amount.

Fig 8: Screengrab of Victims Chats with HIVE negotiators 

  1. Leveraging victim chats for insights:

Before Hive decides upon a ransom amount, they do an in-depth research on the victim organizations and generally ask for about 1 percent of the company’s annual revenue. Though they target companies indiscriminately, they most probably base their assessments on how easily they can compromise the victim for quick financial gains. 

The communications employed by HIVE are shorter and direct, but are quick to lower ransom demands, offering substantial reductions several times through their negotiations.  

Fig 9: How Hive leverages on chats with victim to gain insights

  1. Hive ransomware creates Linux and FreeBSD server variants:

Hive ransomware devised a variant of their ransomware that can encrypt Linux and FreeBSD servers. Although quite buggy, according to our experts, it comes with support for a single command line parameter (-no-wipe). The Linux version of the ransomware fails to encrypt files unless executed without root privileges. In contrast, the Windows ransomware variant comes with five execution options. 

  1. Hive ransomware ports its Linux VMware ESXi encryptor to Rust: 

In March 2022, the Hive ransomware gang added new features to their  VMware ESXi Linux encryptor and also converted it to the Rust programming language in order to make it harder for security researchers to spy on a victim’s ransom negotiations.

  1. The Conti-Hive link:

With Conti shutting its operations in May 2022, its members splintered into smaller groups that it partnered with groups, such as Hive, HelloKitty, AvosLocker, BlackCat, and BlackByte among others. Some Conti members also joined the Hive ransomware ranks and began leaking victim data on both the Conti and Hive leak sites.

  1. New ‘IPfuscation’ trick to hide payload: 

The Hive ransomware operators developed an obfuscation technique involving IPv4 addresses and a set of conversions that lead to Cobalt Strike beacons being downloaded. Our analysts discovered that the payload itself was obscured by taking the form of an ASCII IPv4 array, which could have easily been mistaken for hard-coded C2 communications. 

Hive Ransomware Attack Methodology

  • Initial Access Techniques:

    • Hive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols.

    • Exploit Public-Facing Application – Hive actors gain access to victim networks by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021- 34473, CVE-2021-34523, CVE-2021- 31207, CVE-2021-42321. They may also use the newly discovered Boa vulnerability, CVE-2021-33558. 

    • Phishing – Hive actors gain access to victim networks by distributing phishing emails with malicious attachments.

  • Execution:

    • Use Command and Scripting Interpreter –  Hive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or PowerShell.

  • Defense Evasion:

    • Use Indicator Removal on Host – Hive actors delete Windows event logs, specifically, the System, Security and Application logs. 

    • Modify Registry – Hive actors set registry values for DisableAntiSpyware and DisableAntiVirus to 1. 

    • Impair Defenses – Hive actors seek processes related to backups, antivirus/anti-spyware, and file copying and terminates those processes to facilitate file encryption. 

  • Exfiltration:

    • Use Transfer Data to Cloud Account – Hive actors exfiltrate data from victims, using a possible combination of Rclone and the cloud storage service Mega.nz. 

  • Impact:

    • Use Data Encrypted for Impact – Hive actors deploy a ransom note into each affected directory which states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered. 

    • Inhibit System Recovery – Hive actors look to stop the volume shadow copy services and remove all existing shadow copies via vssadmin via command line or PowerShell.

Hive Ransomware Attack Methodology

HIVE Ransomware MITRE ATT&CK Map

Hive Ransomware MITRE ATT&CK Map

Since Hive ransomware has been affecting the education and healthcare sectors since 2021, many more individuals are at risk of data theft, making it imperative that cyber security measures are taken to limit the effects of ransomware attacks on institutions and organizations. 

K-12 schools have seen a meteoric rise in ransoms paid, with an estimated $3.5 billion in 2022, with the graph steadily rising due to ineffective attack surface management on the enterprise and local levels. 

Securin’s Ransomware Spotlight Report 2023, highlights a continuing 19% rise in vulnerabilities associated with ransomware in 2022. A total of 344 vulnerabilities have been leveraged by ransomware groups thus far, of which 156 of the vulnerabilities are yet to be added to CISA’s KEV catalog. About 180 vulnerabilities have been actively searched as a point of interest by hackers and malicious actors such as HIVE, therefore, making it imperative for organizations today, especially K-12 schools and other vulnerable critical entities, to require a robust Attack Surface Management solution to see their ransomware exposure, prioritize their patching cadence and secure their network. 

Here is a list of significant attacks carried out by HIVE ransomware between June 2021 and January 2023:

Targets

Month

Impact of the Attack

Consulate Health Care

January 2023

All customer information and hospital documentation leaked; 550GB

Centro Médico Virgen De La Caridad, Cartagena, Spain

January 2023

Two hospitals, 20 polyclinics, 23 physiotherapy clinics, and 16 dental clinics were affected in the region. All PII leaked.

Lake Charles Memorial Health System (LCMHS)

November to December 2022

data breach affecting almost 270,000 people

Norman Public Schools (NPS), Oklahoma

November 2022

A district with 24 schools and more than 14,000 students hit. Led to discontinuation of use and shutdown of NPS-issued devices.

Tata Power

October 2022

Tata Power employees’ personally identifiable information (PII), National ID (Aadhar) card numbers, PAN (tax account) numbers, salary information, etc. was stolen. Additionally, the data dump contained engineering drawings, financial and banking records as well as client information.

Empress EMS (Emergency Medical Services)

September 2022

files contained patient names, dates of service, insurance information, and in some instances, Social Security numbers

Damart, France

August – September 2022

$2 million ransom demanded; sales network stopped operating normally thereby impacting 92 of its stores

Wootton Upper School, Bedford, UK

August 2022

£500,000 ransom demanded, PII exfiltrated

Baton Rouge General Medical Center, Louisiana 

August 2022

PII exfiltrated

Artear (Arte Radiotelevisivo Argentino) group

June 2022

1.4 TB files exfiltrated, extensive IT outage

Goodman Campbell Brain and Spine

June 2022

internal information about the entity including passwords for important accounts, but it has also leaked personal and financial information on doctors, and information on named patients that include their diagnoses and procedures, with some insurance information.

Costa Rica’s public health service (known as Costa Rican Social Security Fund or CCCS)

June 2022

Major IT outage

Partnership HealthPlan of California

March 2022

Hive exfiltrated 850,000 unique records with name, Social Security Number, date of birth, address, contact information, and more; 400 GB of stolen files were encrypted 

Memorial Health Systems

August 2021

The attack caused disruptions of clinical and financial operations, causing urgent surgical cases and radiology exams, surgeries postponed, etc

How We Can Help

Securin has been researching ransomware groups and the methods they use to invade networks since 2019. Our comprehensive database of more than 359 vulnerabilities (and counting) used by ransomware groups is the most extensive compilation in the industry today. Securin’s expertise in ransomware research translates into our Ransomware reports and Ransomware Assessment service that can help organizations increase their security posture.

Share This Post On