The Latest Hive Ransomware News
Category: Ransomware News | Industries: Communications, Critical Infrastructure, Government, Healthcare, Manufacturing, Technology | Level: Tactical | Source: CISA
The Cybersecurity and Infrastructure Security Agency’s (CISA) latest #StopRansomware provided insights on the Hive ransomware group. "As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately $100 million US in ransom payments, according to FBI information." Hive ransomware has operated from June 2021 to November 2022, using the ransomware-as-a-service (RaaS) model. The group has targeted organizations worldwide with specific verticals including Healthcare and Public Health (HPH), communications, critical infrastructure, government, healthcare, manufacturing, and technology. To obtain initial access, Hive operators have been proficient with exploiting public-facing applications on Microsoft Exchange and FortiOS, as well as conducting phishing campaigns and using compromised credentials. Once the operators have gained access to the host, their post-exploitation activities have frequently involved tampering with system defenses such as anti-virus and Windows Defender. System recovery is inhibited from disabling shadow copies and Windows event logs are cleared to remove traces of activity. Prior to the encryption process, data is collected and exfiltrated using Rclone and Mega cloud service. Upon completion of the ransomware encryption, a ransom note is dropped for the victim to communicate with Hive on ransom demands. "Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment."
- RDP & System Compromise
Anvilogic Use Cases:
- RDP Logon/Logoff Event
- Windows Defender Disabled Detection
- Clear Windows Event Logs