🔒
There are new articles available, click to refresh the page.
Before yesterdaySentinelLabs

Spook Ransomware | Prometheus Derivative Names Those That Pay, Shames Those That Don’t

28 October 2021 at 16:12

By Jim Walter and Niranjan Jayanand

Executive Summary

  • Spook Ransomware is an emerging player first seen in late September 2021
  • The operators publish details of all victims regardless of whether they pay or not
  • Targets range across several industries with an emphasis on manufacturing
  • Analysis shows a significant degree of code sharing between Spook and the Prometheus and Thanos ransomware families

Overview

Spook ransomware emerged onto the scene in late September 2021 and follows the multi-pronged extortion model that is all too common these days. Victims are hit with the threat of data destruction as well as public data leakage and the associated fallout. In this report, we explore how the malware shares certain similarities with earlier ransomware families, and describe its main encryption and execution behaviour.

Spook and Prometheus

There is some indication that Spook is either linked to, or derived from, Prometheus ransomware. Prometheus is itself an evolution of Thanos ransomware. However, it is important to note that since Thanos ransomware had a builder which was leaked, any real attempts at attribution based solely on the malware’s code is somewhat futile. Even so, there are a few notable similarities between Spook, Prometheus, and ultimately Thanos.

The .NET binary in the following sample, first seen in VirusTotal on 02 October, provides a glimpse into some of these similarities, with artifacts from the Thanos builder also apparent.
a63a5de26582af1438c9886cfb15c4baa08cce2e

Shared code block with Thanos

Our analysis suggests that there is an overlap of between 29-50% of shared code between Spook and Prometheus. Some of this overlap is related to construction of the ransom notes and key identifiers.

Ransom note similarity example (Prometheus vs Spook)

In addition to shared code artifacts, there are similarities with regards to the layout and structure of the Spook and Prometheus payment portals.

Below are the similarities between the leak data URLs hosted by both the groups

  • Spook ransomware:
    hxxp[:]//spookuhv****.onion/blog/wp-content/uploads/2021/05/1-15.png
  • Prometheus ransomware:
    hxxp[:]//promethw****.onion/blog/wp-content/uploads/2021/05/1-15.png

Offline Encryption and Process Manipulation

Spook, mirroring the manifestos of others, boasts “very strong (AES) encryption” along with the threat of leaking victim data to the public. The malware has the ability to encrypt target machines without requiring internet connectivity. Encryption of a full disk can occur within just a few minutes, at which point the ransom note is displayed on the desktop (RESTORE_FILES_INFO.HTA) along with numerous other system notifications.

The malware also makes a number of changes to ensure that the ransom notifications are displayed prominently after reboot (via Start Menu lnk, Reg).

WinLogon is modified (via registry) to display the Ransom Note text upon login:

	HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
	Str Value: LegalNoticeCaption/Text


Registry Modifications for Persistence

Ransom notes are also displayed upon login via a Shortcut placed in the Startup directory

Startup Folder Shortcut

In addition, Spook will attempt to terminate processes and stop services of anything that may inhibit the encryption process.

Here again there is overlap between Spook, Prometheus, and Thanos with regards to process discovery and manipulation, especially with regards to checking for and killing the Raccine anti-ransomware process that some organizations deploy in an effort to protect shadow copies.

TASKILL.EXE is used to force the termination of the following processes if found:

	agntsvc.exe
	CNTAoSMgr.exe
	dbeng50.exe
	dbsnmp.exe
	encsvc.exe
	excel.exe
	firefoxconfig.exe
	hunderbird.exe
	infopath.exe
	isqlplussvc.exe
	mbamtray.exe
	msaccess.exe
	msftesql.exe
	mydesktopqos.exe
	mydesktopservice.exe
	mysqld-nt.exe
	Mysqld-opt.exe
	Mspub.exe
	mysqld.exe
	Ntrtscan.exe
	ocautoupds.exe
	ocomm.exe
	ocssd.exe
	onenote.exe
	oracle.exe
	outlook.exe
	PccNTMon.exe
	Powerpnt.exe
	RaccineSettings.exe
	sqbcoreservice.exe
	sqlagent.exe
	sqlbrowser.exe
	sqlservr.exe
	Sqlwriter.exe
	synctime.exe
	steam.exe
	tbirdconfig.exe
	thebat.exe
	thebat64.exe
	tmlisten.exe
	visio.exe
	winword.exe
	wordpad.exe
	xfssvccon.exe
	zoolz.exe
	taskkill.exe /IM ocomm.exe /F

The Raccine product is specifically targeted with regards to disabling the products’ UI components and update features. These are carried out via basic OS commands such as reg.exe and schtasks.exe.

	taskkill.exe /F /IM RaccineSettings.exe
	reg.exe (CLI interpreter) delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
	reg.exe (CLI interpreter) delete HKCU\Software\Raccine /F
	schtasks.exe (CLI interpreter) /DELETE /TN "Raccine Rules Updater" /F

In addition, sc.exe is used to disable specific services and components:

	sc.exe config Dnscache start= auto
	sc.exe config SQLTELEMETRY start= disabled
	sc.exe config FDResPub start= auto
	sc.exe config SSDPSRV start= auto
	sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
	sc.exe config SstpSvc start= disabled
	sc.exe config upnphost start= auto
	sc.exe config SQLWriter start= disabled

With various processes out of the way and the system in an optimal state for encryption, the malware proceeds to enumerate local files and folders, along with accessible network resources.

Given the Thanos pedigree, specifics around encryption can vary. The samples analyzed employ a random string at runtime as the passphrase for file encryption (AES). The string is subsequently encrypted with the attacker’s public key and added into the generated ransom note(s). Recovery of encrypted data is, therefore, not possible without the corresponding private key.

Ransom Payment and Victimology

Upon infection, victims are instructed to proceed to Spook’s TOR-based payment portal.

Spook Ransom Demand

At the payment portal, the victim is able to interact with the attackers via chat to negotiate payment.

Spook Payment Portal

Spook has been leveraging attacks against high-value targets across the globe, with little to no discretion with regards to industry. Looking at the current cross-section of victims posted on the group’s web site, however, the majority are in the manufacturing sector.

The public blog went live in early October 2021. At the time of writing, there are 17 victims posted on the Spook site.

Some of the victims named on the Spook blog site

Spook actually lists all attacked companies, regardless of whether or not they pay the ransom demand. Those victims that pay have their entry updated to indicate that the company’s data is ‘not for sale’. Those that have not paid are listed as having data that is “For Sale”, while some victim entries, presumably the most recent or those that are in the process of negotiating, are listed as “Company Decides”.


Conclusion

As these attacks continue to escalate and become more egregious, the need for true attack prevention is all the more critical. Spook’s tactic of public outing victims even if they pay threatens reputational harm to any compromised company, even if they follow the attackers’ payment demands.

This only continues to illustrate the importance of preventing attacks in the first place. Ransomware operators have moved beyond worrying about companies detecting after-the-fact and attempting to recover encrypted data.

Indicators of Compromise

SHA256
8dad29bd09870ab9cacfdea9e7ab100d217ff128aea64fa4cac752362459991c
e347fd231a543a5dfd53b01ff0bc67b2bf37593e7ddc036f15bac8ad92f0d707
d991aa2b1fad608b567be28e2d13d3d4f48eea3dea8f5d51a8e42aa9a2637426

SHA1
a63a5de26582af1438c9886cfb15c4baa08cce2e
bfd0ab7eec4b282cc5689a48e8f438d042c9d98f
e2b098d36e51d2b7405fadbd578cf9774433f85a

MITRE ATT&CK
TA0005 – Defense Evasion
T1486 – Data Encrypted for Impact
T1027.002 – Obfuscated Files or Information: Software Packing
T1007 – System Service Discovery
T1059 – Command and Scripting Interpreter
T1112 – Modify Registry
TA0010 – Exfiltration
T1018 – Remote System Discovery
T1082 – System Information Discovery
T1547.004 – Boot or Logon Autostart Execution: Winlogon Helper DLL
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Spook Ransom Note Sample

Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare

23 August 2021 at 22:16

By Jim Walter & Juan Andres Guerrero-Saade

Executive Summary

  • Hive is a double-extortion ransomware group that first appeared in June 2021.
  • The group is notable in its undiscerning choice of targets, having no limits when it comes to healthcare providers and hospitals, as evidenced in a recent attack on Memorial Health System hospitals in Ohio.
  • Hive ransomware is written in Go to take advantage of the language’s concurrency features to encrypt files faster.
  • This report offers an overview of Hive TTPs as well as a reverse engineering deep dive into the ransomware payloads.
  • Hive remains active with as many as 30 victim companies listed on its Hive Leaks onion site at the time of writing.

Background

While many active ransomware groups have committed to forgoing attacks on medical targets in deference to the current global situation, Hive is not one of them. On August 15, 2021, news broke of a Hive campaign against Memorial Health System, an Ohio healthcare provider. As a result, the hospital was forced to advise some patients to seek treatment at separate facilities.

While some ransomware attacks hitting public health and critical infrastructure targets can be the result of a shotgun approach to targetting – mass phishing campaigns that execute malware blindly on victim devices without awareness of the victim environment – that is not the case with Hive. This is a human-operated ransomware attack designed to take input from the command line, indicating the attackers are both aware of the environment and tailoring their attacks for maximum impact.

Memorial Health Systems open statement on ransomware attack

Who is Hive?

Hive or “HiveLeaks” is a relatively new ransomware outfit that made its appearance on the scene in late June, 2021. Hive is yet another double extortion group, making their money off of a two-pronged attack: exfiltrating sensitive data before locking up the victims’ systems. This allows them to pressure the victim into paying greater sums than a conventional ransomware attack as they also face the threat of a mass leak of sensitive data. Hive’s schemes have proven successful so far as multiple leaks are currently posted on their victim blog. As of the time of writing, there are 30 companies currently named on the HiveLeaks site.

HiveLeaks site showing the timer before releasing victim files

We can’t put the toothpaste back in the tube for Memorial Health Systems, but we can at least contribute a breakdown of the Hive operators’ preferred techniques and a deep dive into their ransomware toolkit to help other potential victims.

Technical Analysis

Initial acces can vary. Cobalt Strike implants are most often the tool of choice. They are delivered via phishing or emails in order to establish initial access. These beacons maintain persistence and allow the operators to expand their reach within the compromised environment. They are also used to launch the Hive payloads.

Recent campaigns opt for the use of ConnectWise. ConnectWise is a legitimate commercial remote administration tool that has been abused by multiple ransomware operators in recent years. This allows for persistence and management of their malware in environments where Cobalt Strike hasn’t been successful.

Once inside, attackers will attempt to dump credentials by way of consvcs.dll (MinDump) though rundll32.exe:

Windowssystem32cmd.exe /C rundll32.exe
WindowsSystem32comsvcs.dll MinDump 752 lsass.dmp full

Additionally, WDigest may be manipulated to allow for the caching of cleartext credential data:

Windowssystem32cmd.exe /C reg add
HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v
UseLogonCredential /t REG_DWORD /d 1 && gpupdate /force

Additional tools like ADRecon may be used to further understand and traverse the compromised Active Directory (AD) environment. ADRecon is an open-source tool designed to do just that– to map, traverse and enumerate an AD environment.

The Hive Payload

While the tools, techniques, and procedures mentioned above are fairly standard for ransomware groups these days, Hive utilizes their own closed-source ransomware. The payloads are written in Go and packed with UPX. After unpacking, the ransomware itself is over 2MB in size owing to the way Go packages statically-link all dependencies to create a reliably portable executable.

The developers are taking advantage of some of the native benefits of Go, particularly the ability to implement easy and reliable concurrency. On the other hand, Go is known for enabling easy cross-compilation across different operating systems but the manner in which Hive implements its functionality makes it Windows-specific, at this time.

The ransomware is designed to take input from the command line, indicating that it’s meant to be run directly by an operator or a script containing the desired parameters. The available flags are as follows.

Flags used by Hive Ransomware

These flags are largely self-explanatory with the exception of the final option, no-cleanpollDesc. This refers to a final phase in the ransomware’s functionality that looks for a file named swap.tmp in all logical drives and deletes it before the ransomware exits. The developers refer to this as ‘cleaning space’. At this time we don’t know what this file does, whether it’s a component generated during their operations, a native Windows file, or perhaps a reference to incomplete cross-platform functionality intended for future builds.

Go malware is usually considered difficult to reverse engineer, primarily due to the wealth of tangentially-related imported code baked into every executable. It’s important to isolate the code contributed by the malware developers. In this case, Hive devs contributed four packages orchestrated by the main() function: encryptor, keys, winutils, and config.

Custom packages under ‘google.com’ parent directory

Cursory examination might miss these as they’re housed under a parent package named google.com, perhaps to give the appearance that these are standard packages.

The main function parses the flags provided by the operator and before initializing the ransomware functionality under encryptor.NewApp(). First it generates and exports the encryption keys and generates the ransom note. It directs the victim to a password-protected Onion domain:

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd[.]onion/

It also warns the victim of the impending disclosure of their stolen data at the Hive Leaks site:

http://hiveleakdbtnp76ulyhi52eag6c6tyc<redacted>.onion/

The main functionally is housed under encryptor.(*App).Run(), which does the following:

  1. App.ExportKeys() wraps around standard go crypto functions, which it uses to generate RSA keys. A key file is exported.
  2. MountPoints() enumerates different types of drives and appends them to a slice (a dynamically-sized array in Go). This includes native logical drives, removable drives, and remote shares.
  3. Based on the kill flag, the malware proceeds to kill processes matching the regex provided. If no custom value is provided, the following default is used:
    "bmr|sql|oracle|postgres|redis|vss|backup|sstp"
    
  4. Based on the stop flag, the malware connects to the Windows service control manager and proceeds to stop services matching the regex provided.
  5. The malware creates a batch file to self-delete with the filename hive.bat, removing its own components from the disk via a new process.
    	timeout 1 || sleep 1
    	del "C:Usersadmin1Desktophmod4.exe"
    	if exist "C:Usersadmin1Desktophmod4.exe" goto Repeat
    	del "hive.bat"
    
  6. It creates a batch file to delete shadow copies under the filename shadow.bat and executes it as a separate process.
    	vssadmin.exe delete shadows /all /quiet
    	del shadow.bat
    
  7. In order to take advantage of Go’s concurrency features, the Hive devs run a Notify() function that is meant to watch the WaitGroup that keeps track of the parallel threads. As long as there are threads pending, this function will keep the program running.
  8. Now onto the real business of ransomware. ScanFiles() will populate a list of absolute filepaths fed into a channel (a queue of sorts). EncryptFiles() will then spawn threads that each take a file from that queue and encrypt it. This concurrency feature is the main advantage of writing this ransomware in Go and allows for much faster file encryption.
  9. Finally, the devs make sure to erase the encryption key from memory.

Ransom notes are deposited into each folder containing encrypted files (skipping the C:windows) directory.

The ‘HOW_TO_DECRYPT.TXT’ ransom note

The ransom note instructs victims to visit the Hive portal via TOR and login with their assigned unique ID to continue the payment process.

Hive Victim Portal

Each infection campaign is assigned unique credentials available in the ransom note. This portal leads the victim to the standard ransomware ‘support’ area where they can upload freebie test files, communicate with their attackers, and receive their decryptor should they choose to pay (which, in an ideal world, they shouldn’t).

Conclusion

As these attacks continue to escalate and become more egregious, the need for true attack ‘prevention’ is all the more critical. While well-maintained and tested backup strategies are a must, they are not enough in these double-extortion cases.

Once executed, most modern ransomware will go after backup and storage volumes in fairly smart ways. Many have even evolved to target specific NAS devices and platforms. Some groups will bypass the encryption phase altogether and opt for pilfering data to openly extort victims with. While the latter scenario may seem preferable due to a lack of disruption, the reputational damage, potential liability, and threat to business viability remains. Hence our emphasis on prevention.

We urge all defenders to explore and embrace modern endpoint protection technologies that go beyond static checks, basic signatures, and other outdated components. Contextual awareness and automated behavioral classification are among the most powerful weapons defenders should avail themselves of.

Indicators of Compromise

FILE HASHES

SHA1
67f0c8d81aefcfc5943b31d695972194ac15e9f2
edba1b73ddd0e32784ae21844c940d7850531b82
2877b32518445c09418849eb8fb913ed73d7b8fb
cd8e4372620930876c71ba0a24e2b0e17dcd87c9
eaa2e1e2cb6c7b6ec405ffdf204999853ebbd54a
0f9484948fdd1b05bad387b14b27dc702c2c09ed
e3e8e28a70cdfa2164ece51ff377879a5151abdf
9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
1cc80ad88a022c429f8285d871f48529c6484734
3b40dbdc418d2d5de5f552a054a32bfbac18c5cc
2f3273e5b6739b844fe33f7310476afb971956dd
7777771aec887896be773c32200515a50e08112a
5dbe3713b309e6ecc208e2a6c038aeb1762340d4
480db5652124d4dd199bc8e775539684a19f1f24
Dc0ae41192272fda884a1a2589fe31d604d75af2

Hive.bat
C9471adc8db180a7da5a56966b156b440483856f

Shadow.bat
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749
50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609
5ae51e30817c0d08d03f120539aedc31d094b080eb70c0691bbfbaa4ec265ef3
77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618
e1a7ddbf735d5c1cb9097d7614840c00e5c4d5107fa687c0ab2a2ec8948ef84e
ed614cba30f26f90815c28e189340843fab0fe7ebe71bb9b4a3cb7c78ff8e3d2
c5fe23c626413a18cba8fb4ea93df81529c85f470577fb9c2336d6b692689d9d
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
2f7d37c22e6199d1496f307c676223dda999c136ece4f2748975169b4a48afe5
fdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf
1e21c8e27a97de1796ca47a9613477cf7aec335a783469c5ca3a09d4f07db0ff
bf7bc94506eb72daec1d310ba038d9c3b115f145594fd271b80fbe911a8f3964
c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11
612e5ffd09ca30ca9488d802594efb5d41c360f7a439df4ae09b14bce45575ec
0df750bf15895d410c3f6ce45279ab0329c5c723af38b99aadc9a60bcdc9a71d
5954558d43884da2c7902ddf89c0cf7cd5bf162d6feefe5ce7d15b16767a27e5

Hive.bat
93852dbd3a977cf2662b0c4db26b627736ba51c0df627eb36b41fdbde093c3c3

Shadow.bat
D158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

COMMUNICATIONS

Cobalt Beacon: 176.123.8.228

MITRE ATT&CK

T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking
TA0005 – Defense Evasion
TA0004 – Privilege Escalation
T1486 – Data Encrypted for Impact
T1027.002 – Obfuscated Files or Information: Software Packing
T1003.001 – OS Credential Dumping: LSASS Memory
T1007 – System Service Discovery
T1059 – Command and Scripting Interpreter
T1059.001 – Command and Scripting Interpreter: PowerShell
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1490 – Inhibit System Recovery

The Good, the Bad and the Ugly in Cybersecurity – Week 34

20 August 2021 at 15:00

The Good

This week updated guidance was released from CISA (Cybersecurity and Infrastructure Security Agency) on “Ransomware-Caused Data Breaches”. As the stakes continue to rise, along with the ransom amounts, CISA is hoping organizations “adopt a heightened state of awareness” and implement the variety of recommendations provided in the guidance.

In terms of prevention specifically, the guidance touches on backups, BCP (business continuity planning) and technical exposure mitigation (audit exposed RDP, conduct regular vulnerability scanning). The prevention section also covers cyber hygiene, patching, pentesting and the like.

For organizations that find themselves needing to respond to a ransomware-related breach, the final section in the guidance includes operational planning, triage practices, forensics, and both internal and external communication plans. In addition, the new document provides links to numerous related resources.

Ebook: Understanding Ransomware in the Enterprise
This guide will help you understand, plan for, respond to and protect against this now-prevalent threat. It offers examples, recommendations and advice to ensure you stay unaffected by the constantly evolving ransomware menace.

CISA’s updated guidance serves as a good “cheat sheet” or jumping-off point for sharpening your ransomware and breach response skills. We encourage all to review the guidance and apply these safe practices where required.

The Bad

It was not too long ago that stories were circulating about Ring security cameras, baby monitors, and similar “smart” devices being hacked and used to frighten, eavesdrop, or worse. A similarly impactful flaw to another Video Surveillance as a Platform service was recently discovered and disclosed by FireEye.

The vulnerability, CVE-2021-28372, affects devices associated with the Kalay IoT platform (ThroughTek). The flaw is specific to the SDK (software development kit) and therefore potentially affects a limitless number of devices. This bug allows attackers a very straightforward way to hijack the connection between devices and the Kalay cloud. Attackers can masquerade as a ThroughTek device by presenting a valid 20-byte UID (Unique Identifier). Armed with this knowledge (and the correct IDs), attackers can force their way into the communication stream and intercept credentials or force challenges on the devices to cause users to supply them.

A joint alert was posted by FireEye and CISA (Cybersecurity and Infrastructure Security Agency) on August 17th. The vendor, ThroughTek, has provided multiple solutions based on various versions of the SDK. Versions 3.1.10 and above are recommended to enable AuthKey and DTLS. For previous versions, the same steps are recommended but preceded by an upgrade to SDK 3.1.10 or above.

IoT devices are only going to become more prevalent, and it is vital that consumers – both businesses and personal – are mindful of the security (or lack thereof) with some of these devices. Always take the time to familiarize yourself with the vendor and any potential patches for anything you plan on connecting to your network.

The Ugly

This past week brought the latest chapter in the ongoing saga revealed through the joint efforts of researcher Orange Tsai (DEVCORE Research Team) and ZDI (Zero Day Initiative). We have previously covered ProxyLogon and ProxyOracle. The ProxyLogon flaw was heavily exploited as part of the widespread attacks on Exchange servers earlier this year. To add to these previous vulnerabilities, we now have details of the follow-up, ProxyShell. Technically speaking, ProxyShell consists of three separate flaws, tracked by CVE as follows:

CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-34523 – Microsoft Exchange Server Elevation of Privilege Vulnerability

Stringing these three flaws together in exposed environments will allow an attacker to establish persistence and quickly execute malicious PowerShell commands. Upon successful exploitation, an attacker could potentially take full control of exposed Microsoft Exchange servers.

Proof-of-concept code is currently available for ProxyShell along with thorough documentation. While Microsoft has released patches for all of these CVEs across the April and May monthly releases, the researcher notes that “Exchange Server is a treasure waiting for you to find bugs…I can assure you that Microsoft will fix more Exchange vulnerabilities in the future”.

These are hgh-severity flaws, and the waves carrying these flaws into our data centers are getting larger and more difficult to predict and control. Knowledge is a powerful tool, and we encourage all to stay up to date on this style of vulnerability specifically. Good hygiene and preparedness, along with a properly configured and modern endpoint security platform, will keep your environment safe from these attacks.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare

23 August 2021 at 15:16

By Jim Walter & Juan Andres Guerrero-Saade

Executive Summary

  • Hive is a double-extortion ransomware group that first appeared in June 2021.
  • The group is notable in its undiscerning choice of targets, having no limits when it comes to healthcare providers and hospitals, as evidenced in a recent attack on Memorial Health System hospitals in Ohio.
  • Hive ransomware is written in Go to take advantage of the language’s concurrency features to encrypt files faster.
  • This report offers an overview of Hive TTPs as well as a reverse engineering deep dive into the ransomware payloads.
  • Hive remains active with as many as 30 victim companies listed on its Hive Leaks onion site at the time of writing.

Background

While many active ransomware groups have committed to forgoing attacks on medical targets in deference to the current global situation, Hive is not one of them. On August 15, 2021, news broke of a Hive campaign against Memorial Health System, an Ohio healthcare provider. As a result, the hospital was forced to advise some patients to seek treatment at separate facilities.

While some ransomware attacks hitting public health and critical infrastructure targets can be the result of a shotgun approach to targetting – mass phishing campaigns that execute malware blindly on victim devices without awareness of the victim environment – that is not the case with Hive. This is a human-operated ransomware attack designed to take input from the command line, indicating the attackers are both aware of the environment and tailoring their attacks for maximum impact.

Memorial Health Systems open statement on ransomware attack

Who is Hive?

Hive or “HiveLeaks” is a relatively new ransomware outfit that made its appearance on the scene in late June, 2021. Hive is yet another double extortion group, making their money off of a two-pronged attack: exfiltrating sensitive data before locking up the victims’ systems. This allows them to pressure the victim into paying greater sums than a conventional ransomware attack as they also face the threat of a mass leak of sensitive data. Hive’s schemes have proven successful so far as multiple leaks are currently posted on their victim blog. As of the time of writing, there are 30 companies currently named on the HiveLeaks site.

HiveLeaks site showing the timer before releasing victim files

We can’t put the toothpaste back in the tube for Memorial Health Systems, but we can at least contribute a breakdown of the Hive operators’ preferred techniques and a deep dive into their ransomware toolkit to help other potential victims.

Technical Analysis

Initial acces can vary. Cobalt Strike implants are most often the tool of choice. They are delivered via phishing or emails in order to establish initial access. These beacons maintain persistence and allow the operators to expand their reach within the compromised environment. They are also used to launch the Hive payloads.

Recent campaigns opt for the use of ConnectWise. ConnectWise is a legitimate commercial remote administration tool that has been abused by multiple ransomware operators in recent years. This allows for persistence and management of their malware in environments where Cobalt Strike hasn’t been successful.

Once inside, attackers will attempt to dump credentials by way of consvcs.dll (MinDump) though rundll32.exe:

\Windows\system32\cmd.exe /C rundll32.exe
\Windows\System32\comsvcs.dll MinDump 752 lsass.dmp full

Additionally, WDigest may be manipulated to allow for the caching of cleartext credential data:

\Windows\system32\cmd.exe /C reg add
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v
UseLogonCredential /t REG_DWORD /d 1 && gpupdate /force

Additional tools like ADRecon may be used to further understand and traverse the compromised Active Directory (AD) environment. ADRecon is an open-source tool designed to do just that– to map, traverse and enumerate an AD environment.

The Hive Payload

While the tools, techniques, and procedures mentioned above are fairly standard for ransomware groups these days, Hive utilizes their own closed-source ransomware. The payloads are written in Go and packed with UPX. After unpacking, the ransomware itself is over 2MB in size owing to the way Go packages statically-link all dependencies to create a reliably portable executable.

The developers are taking advantage of some of the native benefits of Go, particularly the ability to implement easy and reliable concurrency. On the other hand, Go is known for enabling easy cross-compilation across different operating systems but the manner in which Hive implements its functionality makes it Windows-specific, at this time.

The ransomware is designed to take input from the command line, indicating that it’s meant to be run directly by an operator or a script containing the desired parameters. The available flags are as follows.

Flags used by Hive Ransomware

These flags are largely self-explanatory with the exception of the final option, no-cleanpollDesc. This refers to a final phase in the ransomware’s functionality that looks for a file named swap.tmp in all logical drives and deletes it before the ransomware exits. The developers refer to this as ‘cleaning space’. At this time we don’t know what this file does, whether it’s a component generated during their operations, a native Windows file, or perhaps a reference to incomplete cross-platform functionality intended for future builds.

Go malware is usually considered difficult to reverse engineer, primarily due to the wealth of tangentially-related imported code baked into every executable. It’s important to isolate the code contributed by the malware developers. In this case, Hive devs contributed four packages orchestrated by the main() function: encryptor, keys, winutils, and config.

Custom packages under ‘google.com’ parent directory

Cursory examination might miss these as they’re housed under a parent package named google.com, perhaps to give the appearance that these are standard packages.

The main function parses the flags provided by the operator and before initializing the ransomware functionality under encryptor.NewApp(). First it generates and exports the encryption keys and generates the ransom note. It directs the victim to a password-protected Onion domain:

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd[.]onion/

It also warns the victim of the impending disclosure of their stolen data at the Hive Leaks site:

http://hiveleakdbtnp76ulyhi52eag6c6tyc<redacted>.onion/

The main functionally is housed under encryptor.(*App).Run(), which does the following:

  1. App.ExportKeys() wraps around standard go crypto functions, which it uses to generate RSA keys. A key file is exported.
  2. MountPoints() enumerates different types of drives and appends them to a slice (a dynamically-sized array in Go). This includes native logical drives, removable drives, and remote shares.
  3. Based on the kill flag, the malware proceeds to kill processes matching the regex provided. If no custom value is provided, the following default is used:
    "bmr|sql|oracle|postgres|redis|vss|backup|sstp"
    
  4. Based on the stop flag, the malware connects to the Windows service control manager and proceeds to stop services matching the regex provided.
  5. The malware creates a batch file to self-delete with the filename hive.bat, removing its own components from the disk via a new process.
    	timeout 1 || sleep 1
    	del "C:\Users\admin1\Desktop\hmod4.exe"
    	if exist "C:\Users\admin1\Desktop\hmod4.exe" goto Repeat
    	del "hive.bat"
    
  6. It creates a batch file to delete shadow copies under the filename shadow.bat and executes it as a separate process.
    	vssadmin.exe delete shadows /all /quiet
    	del shadow.bat
    
  7. In order to take advantage of Go’s concurrency features, the Hive devs run a Notify() function that is meant to watch the WaitGroup that keeps track of the parallel threads. As long as there are threads pending, this function will keep the program running.
  8. Now onto the real business of ransomware. ScanFiles() will populate a list of absolute filepaths fed into a channel (a queue of sorts). EncryptFiles() will then spawn threads that each take a file from that queue and encrypt it. This concurrency feature is the main advantage of writing this ransomware in Go and allows for much faster file encryption.
  9. Finally, the devs make sure to erase the encryption key from memory.

Ransom notes are deposited into each folder containing encrypted files (skipping the C:\windows) directory.

The ‘HOW_TO_DECRYPT.TXT’ ransom note

The ransom note instructs victims to visit the Hive portal via TOR and login with their assigned unique ID to continue the payment process.

Hive Victim Portal

Each infection campaign is assigned unique credentials available in the ransom note. This portal leads the victim to the standard ransomware ‘support’ area where they can upload freebie test files, communicate with their attackers, and receive their decryptor should they choose to pay (which, in an ideal world, they shouldn’t).

Conclusion

As these attacks continue to escalate and become more egregious, the need for true attack ‘prevention’ is all the more critical. While well-maintained and tested backup strategies are a must, they are not enough in these double-extortion cases.

Once executed, most modern ransomware will go after backup and storage volumes in fairly smart ways. Many have even evolved to target specific NAS devices and platforms. Some groups will bypass the encryption phase altogether and opt for pilfering data to openly extort victims with. While the latter scenario may seem preferable due to a lack of disruption, the reputational damage, potential liability, and threat to business viability remains. Hence our emphasis on prevention.

We urge all defenders to explore and embrace modern endpoint protection technologies that go beyond static checks, basic signatures, and other outdated components. Contextual awareness and automated behavioral classification are among the most powerful weapons defenders should avail themselves of.

Indicators of Compromise

FILE HASHES

SHA1
67f0c8d81aefcfc5943b31d695972194ac15e9f2
edba1b73ddd0e32784ae21844c940d7850531b82
2877b32518445c09418849eb8fb913ed73d7b8fb
cd8e4372620930876c71ba0a24e2b0e17dcd87c9
eaa2e1e2cb6c7b6ec405ffdf204999853ebbd54a
0f9484948fdd1b05bad387b14b27dc702c2c09ed
e3e8e28a70cdfa2164ece51ff377879a5151abdf
9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb
1cc80ad88a022c429f8285d871f48529c6484734
3b40dbdc418d2d5de5f552a054a32bfbac18c5cc
2f3273e5b6739b844fe33f7310476afb971956dd
7777771aec887896be773c32200515a50e08112a
5dbe3713b309e6ecc208e2a6c038aeb1762340d4
480db5652124d4dd199bc8e775539684a19f1f24
Dc0ae41192272fda884a1a2589fe31d604d75af2

Hive.bat
C9471adc8db180a7da5a56966b156b440483856f

Shadow.bat
4714f1e6bb75a80a8faf69434726d176b70d7bd8

SHA256
a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749
50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609
5ae51e30817c0d08d03f120539aedc31d094b080eb70c0691bbfbaa4ec265ef3
77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618
e1a7ddbf735d5c1cb9097d7614840c00e5c4d5107fa687c0ab2a2ec8948ef84e
ed614cba30f26f90815c28e189340843fab0fe7ebe71bb9b4a3cb7c78ff8e3d2
c5fe23c626413a18cba8fb4ea93df81529c85f470577fb9c2336d6b692689d9d
88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1
2f7d37c22e6199d1496f307c676223dda999c136ece4f2748975169b4a48afe5
fdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf
1e21c8e27a97de1796ca47a9613477cf7aec335a783469c5ca3a09d4f07db0ff
bf7bc94506eb72daec1d310ba038d9c3b115f145594fd271b80fbe911a8f3964
c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11
612e5ffd09ca30ca9488d802594efb5d41c360f7a439df4ae09b14bce45575ec
0df750bf15895d410c3f6ce45279ab0329c5c723af38b99aadc9a60bcdc9a71d
5954558d43884da2c7902ddf89c0cf7cd5bf162d6feefe5ce7d15b16767a27e5

Hive.bat
93852dbd3a977cf2662b0c4db26b627736ba51c0df627eb36b41fdbde093c3c3

Shadow.bat
D158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8

COMMUNICATIONS

Cobalt Beacon: 176.123.8.228

MITRE ATT&CK

T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking
TA0005 – Defense Evasion
TA0004 – Privilege Escalation
T1486 – Data Encrypted for Impact
T1027.002 – Obfuscated Files or Information: Software Packing
T1003.001 – OS Credential Dumping: LSASS Memory
T1007 – System Service Discovery
T1059 – Command and Scripting Interpreter
T1059.001 – Command and Scripting Interpreter: PowerShell
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1490 – Inhibit System Recovery

The post Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare appeared first on SentinelLabs.

  • There are no more articles
❌