9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%
Actions to Take Today to Mitigate Cyber Threats from Ransomware:
• Prioritize remediating known exploited vulnerabilities.
• Enable and enforce multifactor authentication with strong passwords
• Close unused ports and remove any application not deemed necessary for day-to-day operations.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022.
FBI, CISA, and HHS encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. Victims of ransomware operations should report the incident to their local FBI field office or CISA.
Download the PDF version of this report: pdf, 852.9 kb.
For a downloadable copy of IOCs, see AA22-321A.stix (STIX, 43.6 kb).
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information. Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).
The method of initial intrusion will depend on which affiliate targets the network. Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols [T1133]. In some cases, Hive actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE) CVE-2020-12812. This vulnerability enables a malicious cyber actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.
Hive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments [T1566.001] and by exploiting the following vulnerabilities against Microsoft Exchange servers [T1190]:
After gaining access, Hive ransomware attempts to evade detention by executing processes to:
Prior to encryption, Hive ransomware removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry [T1112].
Hive actors exfiltrate data likely using a combination of Rclone and the cloud storage service Mega.nz [T1537]. In addition to its capabilities against the Microsoft Windows operating system, Hive ransomware has known variants for Linux, VMware ESXi, and FreeBSD.
During the encryption process, a file named *.key (previously .key.) is created in the root directory (C:\ or /root/). Required for decryption, this key file only exists on the machine where it was created and cannot be reproduced. The ransom note, HOW_TO_DECRYPT.txt is dropped into each affected directory and states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered [T1486]. The ransom note contains a “sales department” .onion link accessible through a TOR browser, enabling victim organizations to contact the actors through a live chat panel to discuss payment for their files. However, some victims reported receiving phone calls or emails from Hive actors directly to discuss payment.
The ransom note also threatens victims that a public disclosure or leak site accessible on the TOR site, “HiveLeaks”, contains data exfiltrated from victim organizations who do not pay the ransom demand (see figure 1 below). Additionally, Hive actors have used anonymous file sharing sites to disclose exfiltrated data (see table 1 below).
Figure 1: Sample Hive Ransom Note
https://mega[.]nz
https://send.exploit[.]in
https://ufile[.]io
https://www.sendspace[.]com
https://privatlab[.]net
https://privatlab[.]com
Once the victim organization contacts Hive actors on the live chat panel, Hive actors communicate the ransom amount and the payment deadline. Hive actors negotiate ransom demands in U.S. dollars, with initial amounts ranging from several thousand to millions of dollars. Hive actors demand payment in Bitcoin.
Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment.
Threat actors have leveraged the following IOCs during Hive ransomware compromises. Note: Some of these indicators are legitimate applications that Hive threat actors used to aid in further malicious exploitation. FBI, CISA, and HHS recommend removing any application not deemed necessary for day-to-day operations. See tables 2–3 below for IOCs obtained from FBI threat response investigations as recently as November 2022.
HOW_TO_DECRYPT.txt typically in directories with encrypted files
*.key typically in the root directory, i.e., C:\ or /root
hive.bat
shadow.bat
asq.r77vh0[.]pw - Server hosted malicious HTA file
asq.d6shiiwz[.]pw - Server referenced in malicious regsvr32 execution
asq.swhw71un[.]pw - Server hosted malicious HTA file
asd.s7610rir[.]pw - Server hosted malicious HTA file
Windows_x64_encrypt.dll
Windows_x64_encrypt.exe
Windows_x32_encrypt.dll
Windows_x32_encrypt.exe
Linux_encrypt
Esxi_encrypt
Known IOCs – Events
System, Security and Application Windows event logs wiped
Microsoft Windows Defender AntiSpyware Protection disabled
Microsoft Windows Defender AntiVirus Protection disabled
Volume shadow copies deleted
Normal boot process prevented
Known IOCs – Logged Processes
wevtutil.exe cl system
wevtutil.exe cl security
wevtutil.exe cl application
vssadmin.exe delete shadows /all /quiet
wmic.exe SHADOWCOPY /nointeractive
wmic.exe shadowcopy delete
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
84.32.188[.]57 | 84.32.188[.]238
93.115.26[.]251 | 185.8.105[.]67
181.231.81[.]239 | 185.8.105[.]112
186.111.136[.]37 | 192.53.123[.]202
158.69.36[.]149 | 46.166.161[.]123
108.62.118[.]190 | 46.166.161[.]93
185.247.71[.]106 | 46.166.162[.]125
5.61.37[.]207 | 46.166.162[.]96
185.8.105[.]103 | 46.166.169[.]34
5.199.162[.]220 | 93.115.25[.]139
5.199.162[.]229 | 93.115.27[.]148
89.147.109[.]208 | 83.97.20[.]81
5.61.37[.]207 | 5.199.162[.]220
5.199.162[.]229; | 46.166.161[.]93
46.166.161[.]123; | 46.166.162[.]96
46.166.162[.]125 | 46.166.169[.]34
83.97.20[.]81 | 84.32.188[.]238
84.32.188[.]57 | 89.147.109[.]208
93.115.25[.]139; | 93.115.26[.]251
93.115.27[.]148 | 108.62.118[.]190
158.69.36[.]149/span> | 181.231.81[.]239
185.8.105[.]67 | 185.8.105[.]103
185.8.105[.]112 | 185.247.71[.]106
186.111.136[.]37 | 192.53.123[.]202
See table 4 for all referenced threat actor tactics and techniques listed in this advisory.
Technique Title |ID|Use
External Remote Services | T1133 | Hive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols.
Exploit Public-Facing Application | T1190 | Hive actors gain access to victim network by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-42321.
Phishing | T1566.001 | Hive actors gain access to victim networks by distributing phishing emails with malicious attachments.
Execution Technique Title|ID|Use
Command and Scripting Interpreter | T1059 | Hive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or PowerShell.
Defense Evasion Technique Title|ID|Use
Indicator Removal on Host | T1070 | Hive actors delete Windows event logs, specifically, the System, Security and Application logs.
Modify Registry | T1112 | Hive actors set registry values for DisableAntiSpyware and DisableAntiVirus to 1.
Impair Defenses | T1562 | Hive actors seek processes related to backups, antivirus/anti-spyware, and file copying and terminates those processes to facilitate file encryption.
Exfiltration Technique Title|ID|Use
Transfer Data to Cloud Account | T1537 | Hive actors exfiltrate data from victims, using a possible combination of Rclone and the cloud storage service Mega.nz.
Impact Technique Title| |Use
Data Encrypted for Impact | T1486 | Hive actors deploy a ransom note HOW_TO_DECRYPT.txt into each affected directory which states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered.
Inhibit System Recovery | T1490 | Hive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin via command line or PowerShell.
FBI, CISA, and HHS recommend organizations, particularly in the HPH sector, implement the following to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Hive ransomware:
If your organization is impacted by a ransomware incident, FBI, CISA, and HHS recommend the following actions.
In addition, FBI, CISA, and HHS urge all organizations to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.
Vulnerability and Configuration Management
The FBI, CISA, and HHS do not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI, CISA, and HHS understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization decide to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to your local FBI field office, or to CISA at [email protected] or 1-844-Say-CISA (1-844-729-2472). Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks.
The FBI may seek the following information that you determine you can legally share, including:
The information in this report is being provided “as is” for informational purposes only. FBI, CISA, and HHS do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or HHS.
Initial Version: November 17, 2022
www.stopransomware.gov/
attack.mitre.org/versions/v12/matrices/enterprise/
attack.mitre.org/versions/v12/techniques/T1059/
attack.mitre.org/versions/v12/techniques/T1059/
attack.mitre.org/versions/v12/techniques/T1070/
attack.mitre.org/versions/v12/techniques/T1070/
attack.mitre.org/versions/v12/techniques/T1112/
attack.mitre.org/versions/v12/techniques/T1112/
attack.mitre.org/versions/v12/techniques/T1133/
attack.mitre.org/versions/v12/techniques/T1133/
attack.mitre.org/versions/v12/techniques/T1190/
attack.mitre.org/versions/v12/techniques/T1190/
attack.mitre.org/versions/v12/techniques/T1486/
attack.mitre.org/versions/v12/techniques/T1486/
attack.mitre.org/versions/v12/techniques/T1490/
attack.mitre.org/versions/v12/techniques/T1490/
attack.mitre.org/versions/v12/techniques/T1537/
attack.mitre.org/versions/v12/techniques/T1537/
attack.mitre.org/versions/v12/techniques/T1562/001/
attack.mitre.org/versions/v12/techniques/T1562/001/
attack.mitre.org/versions/v12/techniques/T1566/001/
attack.mitre.org/versions/v12/techniques/T1566/001/
github.com/cisagov/cset/
nvd.nist.gov/vuln/detail/CVE-2020-12812
nvd.nist.gov/vuln/detail/CVE-2021-31207
nvd.nist.gov/vuln/detail/CVE-2021-34473
nvd.nist.gov/vuln/detail/CVE-2021-34523
pages.nist.gov/800-63-3/
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=%23StopRansomware%3A%20Hive%20Ransomware+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a
us-cert.cisa.gov/ncas/alerts/aa20-245a
www.cisa.gov/cyber-hygiene-services
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
www.cisa.gov/stopransomware
www.cisa.gov/stopransomware
www.cisa.gov/stopransomware/ransomware-guide
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a&title=%23StopRansomware%3A%20Hive%20Ransomware
www.fbi.gov/contact-us/field-offices
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=%23StopRansomware%3A%20Hive%20Ransomware&body=www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
AI Score
Confidence
High
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%