- 160/2022
- High
HIVE is a ransomware family that has impacted Windows and Linux operating systems. It was originally written in Go Language but was rewritten in Rust in early 2022. It can encrypt both logical drives and remote network shares on execution.
Hive new variant:
The main difference between the new Hive variant and the old ones is the programming language used. The old variants were written in Go (also referred to as GoLang), while the new Hive variant is written in Rust.
Hive benefits from the following advantages that Rust has over other programming languages:
- Offers memory, data type, and thread safety.
- Deep control over low-level resources.
- User-friendly syntax.
- Several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption.
- Variety of cryptographic libraries.
- Relatively more difficult to reverse-engineer.
String encryption:
The new Hive variant uses string encryption that can make it more evasive. Strings reside in the “.rdata” section and are decrypted during runtime by XORing with constants. The constants used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.
Command-line parameters:
- In old Hive variants, the username and the password used to access the Hive ransom payment website are embedded in the samples. In the new variant, these credentials must be supplied in the command line under the “-u” parameter, which means that they can’t be obtained by analysts from the sample itself.
- Overall, it appears different versions have different parameters that are constantly updated. Unlike in previous variants where there was a ‘help’ menu, in the new variant, the attacker must know the parameters beforehand. Since all strings are encrypted, it makes finding the parameters challenging for security researchers.
Stopped services and processes:
Hive stops services and processes associated with security solutions and other tools that might get in the way of its attack chain. Hive tries to impersonate the process tokens of trustedinstaller.exe and winlogon.exe.
Encryption:
- The most interesting change in the Hive variant is its cryptography mechanism, it uses a different set of algorithms: Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher).
- The new Hive variant uses a unique approach to file encryption. Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension.
Ransom note:
Hive’s ransom note has also changed, with the new version referencing the .key files with their new file name convention and adding a sentence about virtual machines (VMs).
Mitigations
- Sweep the environment for existing signs of the indicated IOCs and find out if there is a match.
- Enable machine learning, active adversary mitigations, and behavioral detection in endpoint security.
- If remote access is required, use a VPN with vendor best-practices multi-factor authentication, password audits, and precise access control, in addition to actively monitoring remote accesses.
- Users logged into remote access services should have limited privileges for the rest of the corporate network.
- Administrators should adopt multi-factor authentication and use a separate administrative account from their normal operational account.
- Develop and implement a patching policy and baseline configuration standards for the operating system.
- Conduct cybersecurity awareness training to End- users.
- Ensure anti-virus software and associated files are up to date.
- Setup an alert on events when the AV agent loses the connection with the main panel.
- Backup your data using different backup destinations including Tape drives.