How Hive Ransomware Targets Organizations

"ProxyShell" vulnerabilities in Microsoft Exchange Server were exploited to encrypt an unnamed customer's network in a recent Hive ransomware attack by an affiliate.

According to Varonis security researcher Nadav Ovadia's post-mortem analysis of the incident, "The actor achieved its malicious goals and encrypted the environment in less than 72 hours from the initial compromise," Ovadia wrote.

After infecting a victim's network and encrypting their files, Hive, which was first discovered in June of 2021, follows the lucrative ransomware as a service (RaaS) model used by other cybercriminal groups in recent years.

As part of the ProxyShell attack, which has been classified as CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, the attacker gains access to vulnerable Microsoft Exchange Servers, allowing them to run arbitrary code on the system.

Patch Tuesday updates for April and May 2021, addressed the problems.

Web shells were successfully deployed on the compromised server, allowing the adversary to run malicious PowerShell code with SYSTEM privileges to create a new backdoor administrator user, hijack the domain administrator account, and perform the lateral movement in this case. n

A random mix of characters was used to encrypt and disguise the filenames of the web shells used in the attack, according to Ovadia. Cobalt Strike's obfuscated PowerShell script was also run during the attack.

To begin with, the ransomware executable (named "Windows.exe") was used to scan the network for valuable files, before being used to complete the encryption process and display the ransom note to the victim.

In order to avoid detection, prevent recovery, and ensure that the encryption goes off without a hitch, the malware also deletes shadow copies, turns off security products, and clears Windows event logs.

More evidence that patching known vulnerabilities are essential in the fight against cyberattacks and other bad actors.

Threat actors' preferred method of maximizing profits, ransomware attacks, has grown significantly in recent years. Damage to an organization's reputation, disruption of normal operations, or even loss of sensitive data may result from it.