Ransomware is a constant thorn in the side of cyber security professionals worldwide. Hive Ransomware stormed onto the scene in June of 2021 and in their first six months, from June to December of 2021 they managed to compromise 355 companies. The group made headlines for targeting IT, real estate, and healthcare organizations, prompting an FBI Alert sharing the Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) associated with the group in late August.
Recently the group has been making headlines for more technical reasons. Two events in the past few months have made the Hive Ransomware group particularly interesting to security professionals. The first event took place in February 2022. Academic researchers in South Korea at Kookmin University have developed a method to recover a significant portion of the master key used by the ransomware gang to encrypt target organization’s files. Based on the research, the ransomware XORs data using a random key string that changes for each file. The researchers found they were able to guess a large portion of the master key stream allowing them to reverse the process and recover between 82% and 98% of the target’s files.[1]
The ability to replicate the ransomware gang’s master key is valuable to security professionals who can use the same techniques to decrypt files that have been encrypted by Hive ransomware, the group uses double extortion, meaning that they both encrypt files and exfiltrate data. The exfiltrated data can still be ransomed because the gang has leverage to sell or leak the data if they do not get paid.
Hive has taken a page from the BlackCat Ransomware gang’s book, changing the location of their ransom notes so they are not easily accessible to security researchers. Previously, ransom notes were found and publicized by researchers conducting malware analysis, allowing security researchers to look at negotiations.
BlackCat passes the negotiation URL on the command line when the encryptor is executed, preventing researchers from finding using samples. The credentials to access the negotiation page are also provided by the attacker and passed in a command line argument. The ability to hide negotiation messages and credentials was developed first for Linux targets but has been adopted for attacks targeting Windows machines as well.
Hive has also followed BlackCat by switching the programming language of the Linux encryptor from Go to Rust. The switch was made to make the encryptor more efficient and harder for security researchers to reverse engineer.[2]
Since its discovery Hive Ransomware has undergone several changes. One of the most notable is the discovery of a novel obfuscation method used in recent Hive samples. Obfuscation is the ability for malware confuse or mislead security professionals who are trying to study how the malware works. The new discovery has been called IPfuscation and uses a number of IPv4 addresses which are converted to download a Cobalt Strike beacon.
Sentinel Labs reported the new technique uses an array of IPv4 addresses that are converted to binary using the RtlIpv4StringToAddressA function. The blob of binary that comes out of the conversion is written to heap memory and creates shell code that is used as a Cobalt Strike stager to download and execute Beacon.[3] Another variation relies on Hell’s Gate SYSCALLS to execute the shellcode. An image to the right is from Sentinel Labs and shows IP addresses used to create the Cobalt Strike payload.
The novelty of using IPv4 addresses to hide the binary shows how creative adversaries can be when trying to avoid detection. Researchers at Sentinel Labs have found that other variants of the IPfuscation technique have been seen using IPv6 addresses, UUIDs, and MAC addresses. To the naked eye a list of IP addresses will often lead security professionals to believe that the malware is making connections to a number of servers including command and control servers, but that is not the case. The Hive ransomware group has been innovative in the year since they have been discovered elevating their status as a threat to be aware of as they continue to evolve in their tactics. Using techniques like IPfuscation means static signatures used for detection will simply not work. It is best to leverage behavioral detection, AI-assisted analysis, and holistic endpoint security.[4]
Hive Ransomware is primarily distributed through exploiting vulnerable RDP servers, using compromised VPN credentials, and Phishing campaigns. Pictured below are some of some of the IOCs provided by Sentinel Labs and TTPs from Mitre ATT&CK:
The good news is researchers have discovered a way to recover the majority of the Hive Ransomware encryption key, the bad news is that the ransomware group is innovative and will likely adapt in the near future.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/
[2] https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/
[3] https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/
[4] https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/
Comments