2022-04-26

Hive Ransomware Attack Analysis

Level: 
Tactical
  |  Source: 
Varonis
Retail
Share:

Hive Ransomware Attack Analysis

Industry: Energy, Healthcare, Nonprofits, Retailers | Level: Tactical | Source: Varonis

The Varonis Forensics Team has provided an investigation from an incident involving Hive ransomware, spanning under 72 hours to execute. The initial attack began by exploiting the Exchange Proxyshell vulnerability to load a webshell on the Exchange server. Following initial access, PowerShell invoke-expression commands were executed to download payloads for Cobalt Strike. To achieve persistence, the attackers created a new user account and dumped credentials using Mimikatz. With credentials obtained, the attackers moved laterally within the environment using mstsc.exe and initiated discovery with ping sweep and a network scanning tool, SoftPerfect. Data from scanned systems and credentials collected were saved to a text file. In the final stages of the attack, the threat actors executed the ransomware disabling volume shadow copies, stopping services including Windows Defender, and cleaning Windows Security logs. The ransomware-as-a-service was first observed in June 2021 targeting sectors in healthcare, nonprofits, retailers, energy providers among others.

  • Anvilogic Scenario: Hive Ransomware: Post-Exploitation Behaviors
  • Anvilogic Use Cases:
  • Potential ProxyShell
  • Potential Web Shell
  • Invoke-Expression Command
  • Encoded Powershell Command
  • Cobalt Strike Beacon
  • Create/Add Local/Domain User
  • Locate Credentials
  • Mimikatz
  • Output to File
  • Pass-the-Hash
  • MSTSC Execution
  • Output to File
  • Executable Create Script Process
  • Potential Ping Sweep

Get trending threats published weekly by the Anvilogic team.

Sign Up Now