Indonesian
Arabic
Chinese (Simplified)
Dutch
English
French
German
Italian
Portuguese
Russian
Spanish
Threat intelligence enriched with External Attack Surface Management, Brand Protection, and Dark Web Radar.
Protect your business from the dangers lurking in the hidden corners of the internet.
Effective threat hunting and threat actor tracking with behavioral analytics.
Discover your assets with a hacker mindset.
Stay ahead of threat actors with actionable intelligence alerts.
Evaluate the security posture of your entire supply network.
Your guide in harnessing the full potential of our platform.
Hear SOCRadar’s impressive achievements from our clients.
Automate and operationalize your security operations.
Consulting and professional services for cybersecurity excellence.
Industry, sector, and region-based in-depth research.
Discover the heartbeat of cyberspace through a collection showcasing the latest incidents.
Discover how XTI empowers organizations to proactively identify, mitigate, and respond to evolving cyber threats.
Register for our live webinars, and watch our on-demand webinars instantly.
Dive deep into the world of cyber threats, advanced analysis techniques, and cutting-edge strategies.
Stay informed and up-to-date on the latest cybersecurity trends.
Explore SOCRadar’s learning experience to fuel your cybersecurity journey with insights that exceed industry standards.
We offer expert-led, and exclusive trainings to help you master the latest in cybersecurity, trusted by over 2,000 top companies.
Scan the dark web to prevent your leaks from turning into real risks.
Instantly access dark web findings about your organization’s assets.
Check if there is anything about you in SOCRadar’s ever-expanding breach database.
Track threat actors and groups by country or industry for effective follow-up.
Explore threat actors’ tactics, techniques, activities, and detailed profiles targeting your industry or region.
All-in-one next-generation tools for investigating everyday events like phishing, malware, account breach, etc.
Power your search with SOCRadar’s IOC Radar.
Let’s get to know each other better.
Broaden your market reach and increase ARR with SOCRadar Extended Threat Intelligence.
Get informed of our upcoming events.
Latest news about our platform, company, and what’s being said about us.
Begin an extraordinary journey in your professional path with SOCRadar.
We’d like to hear from you.
SOCRadar Training Series – Mastering AI in Cybersecurity From Theory to Practice
Resources
by SOCRadar Research
[Update] November 14, 2023: See the subheading: “New Era of Hive Ransomware Under Hunters International.”
On November 8, 2021 electronics retail giant Media Markt has suffered a ransomware attack with an initial ransom demand of $240 million, causing IT systems to shut down and store operations to be disrupted in Netherlands and Germany. It was the Hive ransomware group that carried out the attack.
According to SOCRadar Ransomware feed, Hive conducted 5.5% of all observed Ransomware attacks in 2022. This put Hive Ransomware among the top 5 most active Ransomware for the year.
With a statement from FBI officials on August 25, 2021 it was said that a newly formed ransomware group Hive ransomware group is attacking the health system in the USA. The Hive ransomware gang crashed the IT systems at Memorial Health System, disrupting healthcare and putting the lives of several patients at risk. First observed in June 2021, Hive Ransomware is a RaaS (Ransomware as a Service) group leveraging double-extortion that started operations. The group also exfiltrates sensitive data before encrypting it for ransom. They operate with an affiliate system and provide an admin panel for affiliates to manage attacks.
They are believed to be a Russian-based organization. It is reported that around May 2022, some of its affiliates migrated to Hive as the Conti group took down its attack infrastructure. The belief stems from the fact that Conti and Hive have leaked the same victims on both their leak sites simultaneously on multiple occasions, such as the attack on Costa Rican government infrastructures. However, Hive refuted the connection with Conti in their TOR leak site in numerous instances.
Hive Ransomware targets vary greatly, ranging from the far west, the USA, to the far east, Japan. Since their emergence, institutes from more than 20 countries have faced Hive Ransomware attacks, according to the Hive TOR leak site.
The FBI noted that the Hive gang used multiple tactics, techniques, and procedures (TTP) to compromise targeted networks. According to the report, the ransom group leverage phishing in their attacks for initial access. This is in trend with most cyber attacks. According to Verizon, 82% of all breaches involve the human element. The group is known to exploit various phishing traps with malicious attachments to access critical systems and use Remote Desktop Protocol (RDP) to move horizontally across the network.
The Korea Internet & Security Agency (KISA) has released a public decryptor for the victims of Hive Ransomware. The tool can only be used for versions 1 to 4. However, Hive moved on to new technologies to target new victims. Early versions of the Hive variants were developed in GoLang. Possibly, with the release of the public decryptor around mid-2022, they turned to Rust language, specifically with version 5, to develop new variants for their Ransomware.
After encrypting critical files, Hive ransomware distributes two malicious scripts (hive.bat and shadow.bat) to perform cleanup after encryption. The group then threatens to leak the information it obtains on the dark websites HiveLeaks.
“After compromising a victim network, Hive ransomware actors leak data and encrypt files on the network. The actors leave a ransom note on each affected directory on the victim’s system, which provides instructions on how to purchase the decryption software,” the FBI said in a statement.
According to an analysis of the Hive group, they use spear-phishing emails with attachments to gain a foothold in the victim’s network. After Hive obtains the user’s network credentials, it laterally infects the network using Remote Desktop Protocol (RDP).
To avoid anti-malware, Hive terminates computer backup and restore, antivirus and antispyware, and file copying. After encrypting files and saving them with a .hive extension, Hive creates batch files hive.bat and shadow.bat, which contain commands for the computer to delete the Hive executable, disc backup copies, or snapshots, and the batch files. This is a common technique used by malware to reduce available forensic evidence.
Hive drops a ransom note, HOW_TO_DECRYPT.txt, into each affected directory. The notice explains that encrypted files are not decryptable without the master key, which is in the actors’ possession. In addition, the note contains the login details for the TOR website that the victim can use to pay the ransom, and it threatens to leak the victim’s sensitive data on the HiveLeaks TOR website.
The message left by the attackers:
“Your network has been breached, and all data was encrypted. Personal data, financial reports, and important documents are ready to disclose. To decrypt all the data or prevent exfiltrated files from being disclosed at
http://hiveleakdbtnp…….onion/, you will need to purchase our decryption software.”
They are also one of the Ransomware groups that widened their foothold by developing Ransomware for Linux-based systems.
For all variants of Hive Ransomware, you can refer to this GitHub repo.
Analyzed Sample: SHA-256: f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3
As SOCRadar Research Team, we analyzed the v5 of the Rust variant of Hive Ransomware. It uses string encryption, making it more evasive. Strings reside in the .rdata section and are decrypted during runtime by XORing with constants. The constants used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.
The credentials are provided on the command line under the “-u” parameter, which means it cannot be obtained by analysts from the sample itself. An attacker can choose to encrypt files on remote shares or local files only or choose a minimum file size for encryption.
In the Rust variant of Hive Ransomware, attackers need to know the parameters beforehand. With this development, finding parameters for the researcher and analyst teams in encrypted strings is difficult. Another typical result we observed while monitoring the processing activity is using “vssadmin.exe” to clean the backup with “delete shadows /all /quiet” parameters.
In another finding during the analysis, it is observed that different algorithms are used in the Rust variant: Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption method with ChaCha20 symmetric cipher)
The following file extensions are excluded from encryption by the Rust variant.
When we analyze the function call made at the “00000000004613AF” address, inside it, we found that the NtTerminateProcess API call was made at the address “000000000047867B“. It is possible to bypass anti-analysis at these addresses by changing the RIP. Otherwise, process termination occurs, and the analysis stops.
The following file extensions are excluded from encryption by the Rust variant.
When we analyze the function call made at the “00000000004613AF” address, inside it, we found that the NtTerminateProcess API call was made at the address “000000000047867B“. It is possible to bypass anti-analysis at these addresses by changing the RIP. Otherwise, process termination occurs, and the analysis stops.
The following file extensions are excluded from encryption by the Rust variant.
Their attack on the healthcare system was not the first act of the Hive Group. On June 14, 2021 Altus Group, a commercial real estate software solutions company, announced that its data was breached. The day before the announcement, the Altus group was affected by a cybersecurity breach. Communication systems such as the IT back office and email were taken offline at the time. Throughout subsequent updates, the company has yet to reveal whether any information has been leaked.
On 5 December 2022, Hive Ransomware listed a ransom countdown regarding the French sports retailer Intersport. The group posted a portion of Intersport data, allegedly including passport details of Intersport staff, pay slips, a list of former and current employees, and their Social Security numbers, on its TOR leak site. Apparently, the attack occurred during Black Friday sales and affected the operations.
On January 6, 2023, Hive Ransomware listed a ransom countdown regarding Consulate Health Care on its TOR leak site. With the breach becoming public news, the Consulate of Health Care confirmed the attack with an announcement. It was due to a third-party vendor facing a breach in their network. According to the institute, the ransom was far more than they could pay. Because of this, Hive released 550GB of Health Care customer and employee PII data before the deadline.
Finally, US and international law enforcement authorities have taken action against the Hive ransomware group, including the seizure of at least two leak sites.
On January 26, 2023 morning, two of the group’s sites on the dark web used for extorting victims and leaking data for non-paying businesses were replaced with a notice indicating in both English and Russian that the site had been seized in international law enforcement operation involving the U.S. Department of Justice, the FBI, Secret Service, Europol, and other European countries.
Hive has a TOR leak site to share countdowns for their victims. On this site, they only share victims who did not oblige and pay the ransom they demanded. As a side note, in research conducted at the end of 2021, it was observed that Hive targets, on average, three organizations in a day. The research also found that Hive compromised 355 organizations, and only 55 victims shared in their TOR leak site. Considering this not-so-recent data, we will examine Hive’s targets according to the data they shared on their leak site to avoid speculating on any unconfirmed information.
In the observed attacks of the Hive Ransomware from its TOR leak site, nearly 30 countries are affected. The USA is a top target when we look closely at the targeted countries. With 93 attacks, the USA comprises almost half of all the attacks conducted by Hive Ransomware.
When we look at the statistics for the industries regarding the Hive Ransomware attacks, four industries are more focused than the others. There are over 30 industries observed to be targeted by Hive Ransomware, but Healthcare, Information Technology, Education, and Manufacturing are the top most targeted industries.
Some ransomware groups operating as RaaS claim to refrain from targeting institutes, such as healthcare, to avoid causing harm to people. Such as in the case of LockBit apologizing for its latest attack on a healthcare institute and cutting ties with the responsible affiliate. However, Hive’s attacks against healthcare providers show that the operators behind it have no moral incentive to avoid attacking such organizations.
Hive Ransomware is active, with nearly 200 attacks revealed in their TOR leak site in less than two years. It is likely the result of Hive operating in a RaaS model. They are active, which makes them dangerous, but they are still in the development stages. As the KISA released a public decryptor, which can be considered a massive blow for Hive, there were also contemptuous posts on the dark web regarding Hive Ransomware around mid-2022. In one example, the post was targeting Hive Ransomware’s negligent operation.
Even though it seems they are still not the most advanced group out there, they are rapidly growing as a threat to organizations worldwide. This can be deduced from the fact that they transitioned from GoLang to Rust quickly after receiving a blow. They already have numerous variants for different systems across the board to negate the released decryptors. Also, in the technical analysis, we found that they are trying to cripple the analysis process for the researchers using evasion techniques.
As a last point, it is clear that Hive does not have any bearing when deciding whom to target. Whether it is a big manufacturing organization or a small healthcare institute, they attack regardless of any parameters. Considering how Hive Ransomware operates, organizations of all sizes should be aware of Hive Ransomware’s existence and take proactive measures accordingly.
The Hive ransomware group may have passed its mantle to a new entity, Hunters International. This development follows the FBI’s successful disruption of Hive’s operations months later.
Of course, it’s not exactly the Hive, but the code base is quite similar. Hunters International, emerging with Hive’s sophisticated malware arsenal, marks a fresh threat in the ransomware scene. Unlike Hive’s encryption-centric approach, this group focuses on data exfiltration for extortion, indicating a strategic pivot in their modus operandi. Their attacks, spanning multiple countries, including the US and UK, suggest an opportunistic rather than a targeted strategy.
This transition, analyzed by Bitdefender, reveals the use of logging in the malware, a sign of inheriting and adapting Hive’s code. It reflects the challenges criminal groups face in rebuilding after law enforcement crackdowns, often leading to the sale of their tools as a risk-reduction strategy.
Subscribe to our newsletter and stay updated on the latest insights!
PROTECTION OF PERSONAL DATA COOKIE POLICY FOR THE INTERNET SITE
Protecting your personal data is one of the core principles of our organization, SOCRadar, which operates the internet site (www.socradar.com). This Cookie Usage Policy (“Policy”) explains the types of cookies used and the conditions under which they are used to all website visitors and users.
Cookies are small text files stored on your computer or mobile device by the websites you visit.
Cookies are commonly used to provide you with a personalized experience while using a website, enhance the services offered, and improve your overall browsing experience, contributing to ease of use while navigating a website. If you prefer not to use cookies, you can delete or block them through your browser settings. However, please be aware that this may affect your usage of our website. Unless you change your cookie settings in your browser, we will assume that you accept the use of cookies on this site.
1. WHAT KIND OF DATA IS PROCESSED IN COOKIES?
Cookies on websites collect data related to your browsing and usage preferences on the device you use to visit the site, depending on their type. This data includes information about the pages you access, the services and products you explore, your preferred language choice, and other preferences.
2. WHAT ARE COOKIES AND WHAT ARE THEIR PURPOSES?
Cookies are small text files stored on your device or web server by the websites you visit through your browsers. These small text files, containing your preferred language and other settings, help us remember your preferences on your next visit and assist us in making improvements to our services to enhance your experience on the site. This way, you can have a better and more personalized user experience on your next visit.
The main purposes of using cookies on our Internet Site are as follows:
3. TYPES OF COOKIES USED ON OUR INTERNET SITE 3.1. Session Cookies
Session cookies ensure the smooth operation of the internet site during your visit. They are used for purposes such as ensuring the security and continuity of our sites and your visits. Session cookies are temporary cookies and are deleted when you close your browser; they are not permanent.
3.2. Persistent Cookies
These cookies are used to remember your preferences and are stored on your device through browsers. Persistent cookies remain stored on your device even after you close your browser or restart your computer. These cookies are stored in your browser’s subfolders until deleted from your browser’s settings. Some types of persistent cookies can be used to provide personalized recommendations based on your usage purposes.
With persistent cookies, when you revisit our website with the same device, the website checks if a cookie created by our website exists on your device. If so, it is understood that you have visited the site before, and the content to be presented to you is determined accordingly, offering you a better service.
3.3. Mandatory/Technical Cookies
Mandatory cookies are essential for the proper functioning of the visited internet site. The purpose of these cookies is to provide necessary services by ensuring the operation of the site. For example, they allow access to secure sections of the internet site, use of its features, and navigation.
3.4. Analytical Cookies
These cookies gather information about how the website is used, the frequency and number of visits, and show how visitors navigate to the site. The purpose of using these cookies is to improve the operation of the site, increase its performance, and determine general trend directions. They do not contain data that can identify visitors. For example, they show the number of error messages displayed or the most visited pages.
3.5. Functional Cookies
Functional cookies remember the choices made by visitors within the site and recall them during the next visit. The purpose of these cookies is to provide ease of use to visitors. For example, they prevent the need to re-enter the user’s password on each page visited by the site user.
3.6. Targeting/Advertising Cookies
They measure the effectiveness of advertisements shown to visitors and calculate how many times ads are displayed. The purpose of these cookies is to present personalized advertisements to visitors based on their interests.
Similarly, they determine the specific interests of visitors’ navigation and present appropriate content. For example, they prevent the same advertisement from being shown again to the visitor in a short period.
4. HOW TO MANAGE COOKIE PREFERENCES?
To change your preferences regarding the use of cookies, block or delete cookies, you only need to change your browser settings.
Many browsers offer options to accept or reject cookies, only accept certain types of cookies, or receive notifications from the browser when a website requests to store cookies on your device.
Also, it is possible to delete previously saved cookies from your browser.
If you disable or reject cookies, you may need to manually adjust some preferences, and certain features and services on the website may not work properly as we will not be able to recognize and associate with your account. You can change your browser settings by clicking on the relevant link from the table below.
5. EFFECTIVE DATE OF THE INTERNET SITE PRIVACY POLICY
The Internet Site Privacy Policy is dated The effective date of the Policy will be updated if the entire Policy or specific sections are renewed. The Privacy Policy is published on the Organization’s website (www.socradar.com) and made accessible to relevant individuals upon request.
SOCRadar
Address: 651 N Broad St, Suite 205 Middletown, DE 19709 USA
Phone: +1 (571) 249-4598
Email: [email protected]
Website: www.socradar.com