The course of a ransomware attack using Hive was investigated by the Varonis forensics team during a customer deployment. The attack and the actions of the cyber criminals were documented in this way.
First discovered in June 2021, Hive is used as ransomware-as-a-service by cybercriminals to attack healthcare facilities, nonprofits, retailers, utilities, and other industries worldwide. Most commonly, they use common ransomware tactics, techniques, and procedures (TTPs) to compromise victims' devices. Among others, phishing emails with malicious attachments, stolen VPN credentials, and vulnerabilities are used to infiltrate the targeted systems. During a visit to a customer, the Varonis forensics team investigated such an attack and was able to document the actions of the cybercriminals.
Phase 1: ProxyShell and WebShell
First, the attackers exploited the known ProxyShell vulnerabilities of Exchange servers and then placed a malicious backdoor script (webshell) in a publicly accessible directory on the Exchange server. These web scripts could then run malicious PowerShell code through the compromised server with SYSTEM privileges.
Stage 2: Cobalt Strike
The malicious PowerShell code downloaded additional stagers from a remote Command & Control server connected to the Cobalt Strike framework. The stagers were not written to the file system, but executed in memory.
Phase 3: Mimikatz and Pass-The-Hash
Using SYSTEM privileges, the attackers created a new system administrator named "user" and proceeded to the credential dump phase, where they deployed Mimikatz. Using its "logonPasswords" module, the passwords and NTLM hashes of the accounts logged on to the system could be extracted and the results saved in a text file on the local system. Once the attackers had the administrator's NTLM hash, they used the pass-the-hash technique to gain highly privileged access to other resources on the network.
Phase 4: Search for sensitive information
Next, the attackers conducted extensive reconnaissance activities throughout the network. In addition to searching for files containing "password" in their names, network scanners were also used and the network's IP addresses and device names were collected, followed by RDPs to the backup servers and other key resources.
Stage 5: Deployment of ransomware
Finally, a custom malware payload written in Golang called Windows.exe was distributed and run on different devices. Several operations were performed here, such as deleting shadow copies, disabling security products, deleting Windows event logs and removing access rights. In this way, a smooth and extensive encryption process was guaranteed. A ransomware claim note was also created during the encryption phase.
Extreme increase in ransomware attacks
Ransomware attacks have increased significantly in recent years and remain the preferred method of financially motivated cybercriminals. The effects of an attack can be devastating: it can damage a company's reputation, permanently disrupt regular operations and lead to a temporary, possibly permanent loss of sensitive data as well as significant fines under the GDPR.
Although detecting and responding to such incidents can be challenging, most malicious activity can be prevented with the right security tools, incident response plans in place, and known vulnerabilities patched. The Varonis forensics team therefore recommends the following actions:
- Patch the Exchange server to the latest Exchange Cumulative Updates (CU) and Security Updates (SU) provided by Microsoft.
- Enforce the use of complex passwords and require users to change their passwords regularly.
- Use the Microsoft LAPS solution to revoke local admin permissions from domain accounts (least privilege approach). Periodically check for inactive user accounts and remove them.
- Block the use of SMBv1 and use SMB signing to protect against pass-the-hash attacks.
- Restrict employees' access rights to files that they actually need for their work.
- Automatically detect and prevent access control changes that violate your policies.
- Educate your employees on cybersecurity principles. Regular awareness training must be a fundamental part of the corporate culture.
- Establish basic security practices and codes of conduct that describe how to handle and protect company and customer information and other important data.
About Varonis Since its founding in 2005, Varonis has taken a different approach than most IT security providers by placing company data stored both locally and in the cloud at the center of its security strategy: sensitive files and e-mails, confidential customer, patient and Employee data, financial data, strategy and product plans and other intellectual property. The Varonis data security platform (DSP) detects insider threats and cyber attacks through the analysis of data, account activities, telemetry and user behavior, prevents or limits data security breaches by locking sensitive, regulated and outdated data and maintains a secure state of the systems through efficient automation .,