Defending against Hive ransomware: It's time to use the attackers' tools
And, um, do you know how to restore from backup without Active Directory?
Hive ransomware attacks have generated nearly $6 million per month for cybercriminals since June 2021, making successful attacks on over 1,300 victims, US agencies warned – with a close read of the group’s tactics, techniques and procedures (TTPs) serving as a sharp reminder of the importance of secure architecture, culture, and testing, rather than a buy-and-install mindset that priorities shiny and expensive new EDR tools.
Recent versions of the evolving Hive payload are written in Rust; previously in Go. It’s typically dropped after attackers access a network via a phishing email, exposed RDP, exploitation of unpatched software (FortiOS vulnerability CVE-2020-12812 and Microsoft Exchange’s ProxyShell vulnerabilities have been favourites; there will be others) or leaked VPN creds (i.e. all of the many common ways machines and networks are breached.)
Like most sophisticated ransomware payloads, Hive ransomware runs processes that kill off a sweeping array of antivirus/EDR tools, delete backups and prevent recovery. It disables “all portions of Windows Defender and other common antivirus programs in the system registry” as US cybersecurity agency CISA said November 17.)
(Analysis by Microsoft over the summer showed it terminating the following processes which include common backup and security utilities: windefend, msmpsvc, kavsvc, antivirservice, vmm, vmwp, sql, sap, oracle, mepocs, veeam, backup, vss, msexchange, mysql, sophos, pdfservice, backupexec, gxblr, gxvss, gxclmgrs, gxcimgr, gxmmm, gxvsshwprov, gxfwd, sap, qbcfmonitorservice, acronisagent, veeam, mvarmor, acrsch2svc et al.)
Attackers get busy with AD: How’s your enumeration?
Earlier analysis by SentinelOne notes that Hive has been seen using the open source tool ADRecon to map, traverse and enumerate an AD environment. Recent investigation by Trend Micro of another emerging ransomware type, Play, also emphasises that (yes, obviously to some) “during the discovery phase, the ransomware actors collect more details about the AD environment. We’ve observed that AD queries for remote systems have been performed by different tools, such as ADFind, Microsoft Nltest, and Bloodhound [for]enumeration of system information such as hostnames, shares, and domain information.”
Such tools are also freely available to IT professionals juggling security alongside other tasks and deserve exploration by those who have never deployed them as they can help introduce friction for attackers.
See also: 7 free cybersecurity tools for IT professionals to know
As Bloodhound’s co-creator Andy Robbins told The Stack last year, the tool was designed to help map and exploit attack paths in AD (now also in Azure AD). As he noted: “A lot of people on the Blue Team side learn about the tool when it is being used against them either by a professional or by a real adversary.
“But the reality is that BloodHound can provide much more value to the blue team than it ever can to the red team, as it shows the blue team what attack paths exist in their environments so they can clean them up before the adversary can discover and exploit those attack paths.” (Here’s a practical guide for users.)
Hive ransomware defense: A quick checklist
CISA’s recent Hive ransomware guidance meanwhile may have been seen many times before by those on top of their security hygiene, but serves as a renewed reminder/checklist of some core cybersecurity principles.
The US cybersecurity agency said organisations should:
“Install updates for operating systems, software, and firmware as soon as they are released. Prioritize patching VPN servers, remote access software, virtual machine software, and known exploited vulnerabilities. Consider leveraging a centralized patch management system to automate and expedite the process.
They should also:
- “Require phishing-resistant MFA for as many services as possible—particularly for webmail, VPNs, accounts that access critical systems, and privileged accounts that manage backups.
- “If used, secure and monitor RDP – restrict the originating sources and require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.
- Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure. Ensure your backup data is not already infected
- Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
- Ensure devices are properly configured and that security features are enabled.
- Restrict Server Message Block (SMB) Protocol within the network to only access necessary servers and remove or disable outdated versions of SMB (i.e., SMB version 1).
Organisations should also identify and prioritize critical systems for restoration, and confirm the nature of data housed on impacted systems and prioritise restoration and recovery based on a predefined critical asset list that includes information systems critical for health and safety, revenue generation, or other critical services, as well as systems they depend on. A 3-2-1 approach and regular exercising of this are critical. As security experts have noted, too often, "plans to restore from backups have been known to turn into “nobody knows how to restore from backup without Active Directory. Also, we have no backup server or tape library drivers.. or working backups.”