On the FootSteps of Hive Ransomware
07/26/2022
Introduction
Hive ransomware is one of the most active financially motivated threat actors of this period, adopting the current Double Extorsion model. They started their malicious activities in June of the past year, and just in a year of activity they collected a big number of victims, demonstrating the capability to hit even critical infrastructures.
The criminal group distinguished from other ones also for attacking healthcare organization during the 2021 when we had to face off the Covid-19 pandemic. It was emblematic that one of the first victims was the Memorial Health System in August 2021.
For these reasons, Yoroi’s Malware ZLab decided to keep track of this infamous threat actor and observe any modification of its modus operandi, in order to provide a guideline focusing on the evolution of the locker sample of the cyber gang.
About Hive
Hive (TH-313) is a Ransomware group firstly spotted in June 2021 and it gathered a big popularity inside the cybersecurity community because it was able to attack a large variety of sectors, starting from healthcare facilities and arriving to critical infrastructures, passing through manufacturers during just a year of activity.
In addition, the group was able to refine its toolkit and then its TTPs with a surprising speed: the business model is the Double-Extorsion and Ransomware-as-a-Service, with a self-made ransomware payload.
So, in this report we have decided to focus our attention on the ransomware payload evolution, providing a timeline of the development of Hive Ransomware Payloads.
Timeline of the development of Hive Ransomware
Inside the criminal group, there is surely a high-profile development team, with deep knowledge of programming in both newer and older programming languages. The first versions of the encryptor payload are written in Golang, then, starting from the v5 version, the dev team of Hive switched into Rust.
In the following timeline, we provide a quick overview of the evolution of the malware and how the cyber gang adopted an incremental development process on its TTPs:
In the same way, even the Ransom Note changed during the evolution: first, the credentials were hardcoded inside the sample, but now the operators pass them as a parameter when the locker process is launched. Below a comparison between an earlier version and a later one:
Victimology
During its activity, Hive Group hit a large number of victims and during that period some of them paid the ransom, after that the victims were removed from the “walk of shame”. We tracked a total of 130 victims listed on their leak site, the affected companies belong to different sectors and nations. However, we have evidence that occasionally some victims of the group, despite being attacked by the threat actor, are never reported onto the site.
Moreover, the group does not exclude hospitals, companies that provide medical equipment and non-profit organizations. An example is the attack on the "Memorial Health System" in August 2021 or more recently on the "Partnership HealthPlan of California", a non-profit organization.
The following graph shows the total progress of the victims so far, indicating that the group is consolidating its role as one of the principal threats in the panorama.
Another view of the same information is represented in the following graph, where the focus is pointed to highlight the month in which most victims were published on their leak site, which turns out to be July 2021, shortly after the group started. So, it means that the ransomware operators gathered a consistent number of victims during the startup phase, in order to create a solid placement inside the threat landscape. After that phase, the gang continued to threaten with huge aggression.
Hive v1
| Hash | 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1 |
| Threat | Ransomware |
| Brief Description | Hive Ransomware v1 |
| SSDEEP | 12288:CinNFNkY/yU97ppM4NSBG81Np2C9H4S3iDjlLtc4wCIITIQaOI6NrwacVYV+4MsT:CinN3n/y67jM4v4kCSPDjlLtbwt8IQLH |
The first version, written in Golang, was a sophisticated encryptor program, but, due to the newness of the malicious activity, there is no track of obfuscation, and the strings can be easily seen, the following figure shows some of the available parameters:
The initial effort of the gang was to make a product quite customizable according to the infection and the encryption process to perform. In this way, the malware writers provided a series of parameters to launch an ad-hoc infection profile.
The following table describes all the available parameters found in this version:
| Parameter | Description |
| -kill | Regex, names of the processes to kill. Default values: “mspub|msdesktop” |
| -no-clean | Skip clean disk space stage |
| -skip | Regex, names of the files to skip. Default values: “\\.lnk” |
| -skip-before | Skip files before a specific date. Defaut value: “03.09.2016” |
| -stop | Regex, names of the services to stop. Default values: "bmr|sql|oracle|postgres|redis|vss|backup|sstp" |
| -t | Number of threads |
Once the parameters are parsed, creating the desired infection profile, the control flow passes to the core malicious operations.
The locker sample proceeds to export the key, to kill the processes and services specified and to remove the shadow copies then it iterates the directories and starts encrypting the files.
The core of the encryption scheme of Hive ransomware is a union of XOR+RSA algorithms. In the figure below we can see the XOR related routine:
Then, in this first version, it uses “.hive” as extension to the encrypted files, later it is used a unique ID instead. Moreover, the RemoveItself routine drops “hive.bat” to remove itself. But, since the second version of the malware calls the related function after the encryption is complete:
RemoveShadowCopies drops “shadow.bat” to remove the shadow copies, from the second version will directly execute the command instead of dropping a .bat:
Hive V2
| Hash | 25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5 |
| Threat | Ransomware |
| Brief Description | Hive Ransomware v2 |
| SSDEEP | 12288:Sw41dVZvThPCsM18GLHe7wlDdkPAQEtxr0fflvRmhEBWtdUJiAUtP/T/kAfMvgV:dod1HDmlDdkZ4YXPpaTTXMw |
With the second version of Hive, the malware writers started to complicate the code in order to make the analysis more difficult for the analyst. The initial step is to obfuscate the “Go Build ID” header present in all golang- written binaries.
The simple trick causes that, when opening a disassembler, like IDA, the analyst can immediately see Golang not being recognized. However, a simple fix provides the overwriting of the build-id with a legit one.
In addition, now the strings are obfuscated, and the names of the functions present inside the main are not visible in cleartext:
In the following screen two different routines for the strings obfuscation is provided:
The help command has also changed, it has more default values, the “-t” and “-skip” parameters have been removed, “-grant” has been added and “-no-clean” renamed to “-no-wipe”
| Parameter | Description |
| -grant | Grant permissions to all files |
| -kill | Regex, names of the processes to kill. Default values: "agntsvc|sql|CNTAoSMgr|dbeng50|dbsnmp|encsvc|excel|firefoxconfig|infopath|mbamtray|msaccess|mspub|mydesktop|Ntrtscan|ocautoupds|ocomm|ocssd|onenote|oracle|outlook|PccNTMon|powerpnt|sqbcoreservice|steam|synctime|tbirdconfig|thebat|thunderbird|tmlisten|visio|word|xfssvccon|zoolz" |
| -no-wipe | Skip wipe of free space |
| -stop | Regex, names of the services to stop. Default values: "acronis|AcrSch2Svc|Antivirus|ARSM|AVP|backup|bedbg|CAARCUpdateSvc|CASAD2DWebSvc|ccEvtMgr|ccSetMgr|Culserver|dbeng8|dbsrv12|DCAgent|DefWatch|EhttpSrv|ekrn|Enterprise Client Service|EPSecurityService|EPUpdateService|EraserSvc11710|EsgShKernel|ESHASRV|FA_Scheduler|firebird|IISAdmin|IMAP4Svc|Intuit|KAVFS|KAVFSGT|kavfsslp|klnagent|macmnsvc|masvc|MBAMService|MBEndpointAgent|McAfee|McShield|McTaskManager|memtas|mepocs|mfefire |mfemms|mfevtp|MMS|MsDtsServer|MsDtsServer100|MsDtsServer110|msexchange|msmdsrv|MSOLAP|MVArmor|MVarmor64|NetMsmqActivator|ntrtscan|oracle|PDVFSService|POP3Svc|postgres|QBCFMonitorService|QBFCService|QBIDPService|redis|report|RESvc|RTVscan|sacsvr|SamSs|SAVAdminService|SavRoam|SAVService|SDRSVC|SepMasterService|ShMonitor|Smcinst|SmcService|SMTPSvc|SNAC|SntpService|sophos|sql|SstpSvc|stc_raw_agent|^svc|swi_|Symantec|TmCCSF|tmlisten|tomcat|TrueKey|UI0Detect|veeam|vmware|vss|W3Svc|wbengine|WebClient|wrapper|WRSVC|WSBExchange|YooIT|zhudongfangyu|Zoolz" |
The string obfuscation process does not impact the structure of the main function, following a comparison of these two versions.
Hive V3
| Hash | 8a461e66ae8a53ffe98d1e2e1dc52d015c11d67bd9ed09eb4be2124efd73ccd5 |
| Threat | Ransomware |
| Brief Description | Hive Ransomware v3 |
| SSDEEP | 49152:gWVNVvSGbjmrb/T6vO90dL3BmAFd4A64nsfJuhQ8jmp4S3C5CEg+eNgiQJfOqAD:gWYQjPhQCmppnMfO |
In this version the “-skip” parameter has been restored and, in another sample (3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21), we found a new parameter named “scan”:
| Parameter | Description |
| -scan | Scan local network for shares |
Comparing the logs from the v1 we can spot the following differences:
- The key name is longer and it has a random extension
- It shows the time elapsed for the encryption of each file
Linux/FreeBSD version
The third version of the development of Hive ransomware saw the porting of the codebase for other operating systems, such as Linux/FreeBSD and ESXi.
The Linux (12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185) and FreeBSD (bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3) versions are almost identical to the Windows one, despite the obvious OS differences. One of those differences is the following function “KillNonRoot” aimed at killing all non-root processes:
Hive v3 ESXI
| Hash | 822d89e7917d41a90f5f65bee75cad31fe13995e43f47ea9ea536862884efc25 |
| Threat | Ransomware |
| Brief Description | Hive Ransomware v3 |
| SSDEEP | 3072:3Zp7gZzdfvjRCMj1Yk36ioyJ1zgjIlOhXYopNL+V7o0xvvkB/37Nt7xhew8A2Mz:P7gDj8S1Hlx14+opNClvk977ew8A2M |
In this case, the malware is written in C/C++, in order to have a better compatibility with the target operating system, the strings are not obfuscated, and we have found some new parameters:
| Parameter | Description |
| -no-stop | Don’t stop virtual machines |
| -low-cpu | Single thread encryption |
After the routine of exporting the keys already seen in the previous paragraphs, the sample stops all the running virtual machines in order to encrypt them without problems:
The ransom note contains also a reference to not delete or reinstall the virtual machines:
As said, the objective of this version is to encrypt the virtual machines hosted on the ESXi server, so, the malware goes to find the virtual machines deployed on the server, by using a custom regex aimed at finding the words “vm” or “vs”.
Hive v4
| Hash | 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277 |
| Threat | Ransomware |
| Brief Description | Hive Ransomware v4 |
| SSDEEP | 49152:e2NiZPNNirb/T2vO90dL3BmAFd4A64nsfJk0NuXCdmTQb0/6VCrrPrsbg11VgWA:e2ANB04yIa0hsirubO |
The fourth version of Hive locker is an effort to obfuscate also the code. We haven’t noticed new features or upgrades except for a more serious obfuscation of the code and changes in the details of the key generation and encryption.
In detail, this version adopts the control flow flattering obfuscation technique, which is largely adopted by many attackers, thanks to its actual effectiveness. Below an example of that technique:
Hive v5
The fifth version of hive represents a sort of revolution inside the entire codebase. In this version, the major differences include the changing of the base programming language and the refinement encryption algorithm.
| Hash | b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b |
| Threat | Ransomware |
| Brief Description | Hive Ransomware v5.2 |
| SSDEEP | 12288:BLF6OtM1z8JLbA689tSfvTvFSYIzp4yzhrWbttQfaa4Gxjzgdlo/AhwN/eh9z/E:BLF6gb0xqx9z/EO3BxhR |
Hive is now written in Rust and for this reason the difficulty has increased, along with a complex encryption scheme makes the analysis harder even for experienced analysts.
The refinement of the encryption process considers the passing from “XOR+RSA” of the previous versions, arriving to “ECDH+Curve25519+XChaCha20-Poly1305”
For this version we found the following parameters:
| Parameter | Description |
| -no-local | Don’t encrypt local files |
| -no-mounted | Don’t encrypt on mounted network volumes |
| -no-discovery | Don’t discover network volumes |
| -local-only | Encrypt only local files |
| -network-only | Encrypt only network volumes |
| -explicit-only | Encrypt specified folders |
| -min-size | Minimum file size |
| -timerze-only | N/A |
| -da | N/A |
Once executed, the sample checks for the parameter “-u”, which should contain the “username:password” used as credentials for the victim and written in the ransom note, if this unique parameter is missing, the program exits.
Even the routine to decrypt the ransom note changed. In this case, the protection of the ransom note relies on a XOR key.
Another update is the expansion on the other drives. The sample generates an array of drive labels and uses GetDriveTypeW to check if the path is invalid:
Once the attached volumes are found, it calls FindFirstVolumeW and SetVolumeMountPointW to mount eventual unmounted volumes:
After that, the operation of privilege escalation is performed though abusing the “TrustedInstaller” service to recover its access token. In this way, the malware is able to read and write files with the same privileges of TrustedInstaller Group.
Moreover, in the previous versions, we saw bat files and other escamotages for the erasing of the backup mechanisms provided by the Microsoft Environment.
In the fifth version analyzed, there are the following tricks:
- vssadmin.exe delete shadows /all /quiet
- bcedit /set {default} bootstatuspolicy ignoreallfailures
- wbadmin delete systemstatebackup –keepversions:3
Conclusion
Hive threat actor is one of the most sophisticated active threats. It does not care about the target, the only objective is to maximize the illicit profits, even by causing the interruption of critical services. The continuous development of the ransomware payload should not be underestimated, and in the same way organizations must upgrade their cyber protections.
We at Yoroi ZLab believe that collaboration and sharing more information possible about attackers is the right way to pursue to defend these entities. We know that having to deal with these threats is challenging, so we are pointing to create the best expertise needed to handle such incidents whether they happen.
In conclusion, we need to create a solid and reliable strategy to defend our customers. we encourage our customers to make assessments and awareness campaigns for their employees. The goal of the Defence Center of Yoroi is to guarantee the best protection in every phase of the attack, starting from the continuous monitoring arriving to the Incident Response engagements.
Appendix
Indicators of Compromise
Hive v1
- 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1 (Sample)
- d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8 (shadow.bat)
Hive v2:
- 25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
Hive v3
- 8a461e66ae8a53ffe98d1e2e1dc52d015c11d67bd9ed09eb4be2124efd73ccd5
Hive v3 Linux/FreeBSD
- 12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185 (Linux)
- Bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3 (FreeBSD)
Hive v3 ESXI
- 822d89e7917d41a90f5f65bee75cad31fe13995e43f47ea9ea536862884efc25
Hive v4
- 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
Hive v5.2
- b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b
Yara Rules
rule hive_v1_32_win
{
strings:
$1 = {648b0d140000008b89000000003b61080f86e401000083ec40e8?2f?feff8b04248b4c240485c90f8556010000b94100000031d231db8d2d?4??6300eb0341d1e883f95a0f8f29010000a90100000074ed895c2434896c243c894c242489542430894424288d44242c}
condition:
$1 and uint16(0) == 0x5A4D
}
rule hive_v1_64_win
{
strings:
$1 = { 65 4? 8b 0c ?5 28 00 00 00 4? 8b 89 00 00 00 00 4? 3b 61 10 0f 86 ?? ?? ?? ?? 4? 83 ec 40 4? 89 6c ?4 38 4? 8d 6c ?4 38 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 08 4? 8b 4c ?4 10 4? 83 7c ?4 08 00 0f 85 ?? ?? ?? ?? 4? 89 44 ?4 20 4? 89 4c ?4 18 4? 8b 44 ?4 48 4? 89 04 ?4 90 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 4? 89 04 ?4 0f 1f 40 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 48 80 78 48 00 74 ?? 90 0f 57 c0 0f 11 44 ?4 28 4? 8d 05 ?? ?? ?? ?? 4? 89 ?? ?4 28 4? 8d 05 ?? ?? ?? ?? 4? 89 ?? ?4 30 4? 8d 44 ?4 28 4? 89 04 ?4 4? c7 44 ?4 08 01 00 00 00 4? c7 44 ?4 10 01 00 00 00 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 4? 89 44 ?4 50 4? 8b 44 ?4 18 4? 89 44 ?4 58 4? 8b 6c ?4 38 4? 83 c4 40 c3 4? 89 04 ?4 e8 ?? ?? ?? ?? eb ?? 4? 89 44 ?4 50 4? 89 4c ?4 58 4? 8b 6c ?4 38 4? 83 c4 40 c3 }
condition:
$1 and uint16(0) == 0x5A4D
}
rule hive_v2_v3_32_win
{
strings:
//prenotify routine
$1 = { 64 8b 0d 14 00 00 00 8b 89 00 00 00 00 3b 61 08 0f 86 ?? ?? ?? ?? 83 ec ?? c7 44 ?4 04 ?? ?? ?? ?? c7 04 ?4 ?? ?? ?? ?? e8 ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b 04 ?4 8b 4c ?4 04 c7 44 ?4 4c 00 00 00 00 c7 44 ?4 50 00 00 00 00 89 04 ?4 89 4c ?4 04 e8 ?? ?? ?? ?? 8b 44 ?4 08 8d 0d ?? ?? ?? ?? 89 4c ?4 4c 89 44 ?4 50 8d 44 ?4 4c 89 04 ?4 c7 44 ?4 04 01 00 00 00 c7 44 ?4 08 01 00 00 00 e8 ?? ?? ?? ?? 8b 44 ?4 68 89 04 ?4 e8 ?? ?? ?? ?? 8b 44 ?4 04 89 44 ?4 48 8b 4c ?4 08 89 4c ?4 38 31 d2 eb ?? }
condition:
$1 and uint16(0) == 0x5A4D
}
rule hive_v2_64_win
{
strings:
$1 = {654?8b0c?5280000004?8b89000000004?8d44????4?3b41100f86????????4?81ec????????4?89ac??????????4?8dac??????????4?b8????????????????4?8904?4e8????????e8????????4?8b04?44?8b4c?4080f57c00f1184??????????4?8904?44?894c?408e8????????4?8b44?4104?8d0d????????4?898c??????????4?8984??????????4?8d84??????????4?8904?44?c744?408010000004?c744?41001000000e8????????4?8b84??????????4?8904?40f1f440000e8????????4?8b44?4084?8b4c?4104?85c97e??4?89?c}
condition:
$1 and uint16(0) == 0x5A4D
}
rule hive_v3_v4_64_win
{
strings:
$1 = {4? 3b 66 10 0f 86 ?? ?? ?? ?? 4? 83 ec 30 4? 89 6c ?4 28 4? 8d 6c ?4 28 4? 89 44 ?4 20 0f 1f 00 e8 ?? ?? ?? ?? 4? 85 c0 0f 85 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 85 c0 74 ?? 4? 8b 6c ?4 28 4? 83 c4 30 c3 4? 89 44 ?4 10 4? 89 5c ?4 18 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 89 c3 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 e8 ?? ?? ?? ?? 4? 8b 44 ?4 20 90 e8 ?? ?? ?? ?? 4? 8b 44 ?4 10 4? 8b 5c ?4 18 4? 8b 6c ?4 28 4? 83 c4 30 c3 4? 8b 6c ?4 28 4? 83 c4 30 c3}
condition:
$1 and uint16(0) == 0x5A4D
}
rule hive_v5_32_win
{
strings:
$1 = {5589e553575681ec440400008b75108b7d0c89d3894dc88d85b0fbffff68000400006a0050e8????????83c40c0fbec3b9abaaaaaa8b0485c0b949008945e889f0f7e1d1ea8d045229c683f60389f0f7e131c9d1ea8d04528d570229c68b45148955cc8975e48b00}
condition:
$1 and uint16(0) == 0x5A4D
}
rule hive_v5_64_win
{
strings:
$1 = {4157415641554154565755534881ec880400004c89cd448844243789d648894c2450488b9c24f0040000488bbc24f8040000488d8c248800000041b80004000031d2e8??????00480fbec6488d0d??????004c8b24c148b9abaaaaaaaaaaaaaa4889d848f7e148d1ea488d04524989de4929c64983f6034c89f048f7e148d1ea488d04524929c6488b07}
condition:
$1 and uint16(0) == 0x5A4D
}
rule hive_v3_esxi
{
strings:
$s1 = "+ prenotify %s"
$s2 = "Stopping VMs"
$s3 = "(.+)\\.(.+?)\\.%s$"
$s4 = "\\.(vm|vs)\\w+$"
$c = {f3 0f 1e fa 55 4? 89 e5 4? 83 ec 20 4? 89 7? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 89 4? ?? 83 7? ?? 00 74 ?? 8b 4? ?? eb ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 89 4? ?? 83 7? ?? 00 74 ?? 4? 8d 3d ?? ?? ?? ?? e8 ?? ?? ?? ?? 8b 4? ?? eb ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? 4? 8b 4? ?? 4? 89 c7 e8 ?? ?? ?? ?? b8 00 00 00 00 c9 c3}
condition:
(all of ($s*) or $c) and uint32(0) == 0x464C457F
}
This blog post was authored by Luigi Martire, Carmelo Ragusa of Yoroi Malware ZLAB
