{"id":19515,"date":"2022-07-05T08:00:51","date_gmt":"2022-07-05T16:00:51","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/07\/05\/news-13248\/"},"modified":"2022-07-05T08:00:51","modified_gmt":"2022-07-05T16:00:51","slug":"news-13248","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/07\/05\/news-13248\/","title":{"rendered":"Hive ransomware gets upgrades in Rust"},"content":{"rendered":"<p><strong>Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Tue, 05 Jul 2022 16:00:00 +0000<\/strong><\/p>\n<p>Hive ransomware is only about one year old, having been first observed in June 2021, but it has grown into one of the most prevalent ransomware payloads in the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/\">ransomware-as-a-service (RaaS)<\/a> ecosystem. With its latest variant carrying several major upgrades, Hive also proves it\u2019s one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem.<\/p>\n<p>The upgrades in the latest variant are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method. The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/#DEV-0237\">DEV-0237<\/a>.<\/p>\n<p>Microsoft Threat Intelligence Center (MSTIC) discovered the new variant while analyzing detected Hive ransomware techniques for dropping <em>.key<\/em> files. We know that Hive drops its encryption keys file, which contains encrypted keys used to decrypt encrypted files, and uses a consistent naming pattern:<\/p>\n<pre class=\"wp-block-preformatted\">[KEY_NAME].key.[VICTIM_IDENTIFIER]  (e.g., BiKtPupMjgyESaene0Ge5d0231uiKq1PFMFUEBNhAYv_.key.ab123)<\/pre>\n<p>The said <em>.key<\/em> files were missing the [VICTIM_IDENTIFIER] part of the file name, prompting deeper analysis of the Hive ransomware that dropped them. This analysis led to the discovery of the new Hive variant and its multiple versions, which exhibit slightly different available parameters in the command line and the executed processes.<\/p>\n<p>Analyzing these patterns in samples of the new variants, we discovered even more samples, all with a low detection rate and none being correctly identified as Hive. In this blog we will share our in-depth analysis of the new Hive variant, including its main features and upgrades, with the aim of equipping analysts and defenders with information to better identify and protect organizations against malware attacks relying on Hive.<\/p>\n<h2>Analysis and key findings<\/h2>\n<h3>The switch from GoLang to Rust<\/h3>\n<p>The main difference between the new Hive variant and old ones is the programming language used. The old variants were written in Go (also referred to as GoLang), while the new Hive variant is written in Rust.<\/p>\n<p>Hive isn\u2019t the first ransomware written in Rust\u2014BlackCat, another prevalent ransomware, was the first. By switching the underlying code to Rust, Hive benefits from the following advantages that Rust has over other programming languages:<\/p>\n<ul>\n<li>It offers memory, data type, and thread safety<\/li>\n<li>It has deep control over low-level resources<\/li>\n<li>It has a user-friendly syntax<\/li>\n<li>It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption<\/li>\n<li>It has a good variety of cryptographic libraries<\/li>\n<li>It\u2019s relatively more difficult to reverse-engineer<\/li>\n<\/ul>\n<h3>String encryption<\/h3>\n<p>The new Hive variant uses string encryption that can make it more evasive. Strings reside in the <em>.rdata<\/em> section and are decrypted during runtime by XORing with constants. The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.<\/p>\n<p>For example, let\u2019s look at the section where part of the string <em>\u201c!error no flag -u &lt;login&gt;:&lt;password&gt; provided\u201d<\/em> is decrypted. In one sample (SHA-256: f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3), the constants are 0x9F2E3F1F and 0x95C9:<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"177\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig1-String-decryption.png\" alt=\"Partial screenshot of a code-level analysis of a Hive sample.\" class=\"wp-image-117293\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig1-String-decryption.png 936w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig1-String-decryption-300x57.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig1-String-decryption-768x145.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig1-String-decryption-930x177.png 930w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><figcaption>Figure 1 \u2013 String decryption using constants 0x9F2E3F1F and 0x95C9<\/figcaption><\/figure>\n<p>In another sample (SHA-256: 6e5d49f604730ef4c05cfe3f64a7790242e71b4ecf1dc5109d32e811acf0b053), the constants are 0x3ECF7CC4 and 0x198F:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"936\" height=\"170\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig2-String-decryption.png\" alt=\"Partial screenshot of a code-level analysis of a Hive sample.\" class=\"wp-image-117296\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig2-String-decryption.png 936w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig2-String-decryption-300x54.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig2-String-decryption-768x139.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig2-String-decryption-930x170.png 930w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><figcaption>Figure 2 \u2013 String decryption using constants 0x3ECF7CC4 and 0x198F<\/figcaption><\/figure>\n<p>Some samples do share constants when decrypting the same string. For example, let\u2019s look where the parameter string <em>\u201c-da\u201d<\/em> is decrypted. In one sample (SHA-256: 88b1d8a85bf9101bc336b01b9af4345ed91d3ec761554d167fe59f73af73f037), the constants are 0x71B4 and 2:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"422\" height=\"117\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig3-String-decryption.png\" alt=\"Partial screenshot of a code-level analysis of a Hive sample.\" class=\"wp-image-117299\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig3-String-decryption.png 422w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig3-String-decryption-300x83.png 300w\" sizes=\"auto, (max-width: 422px) 100vw, 422px\" \/><figcaption>Figure 3 \u2013 String decryption using constants 0x71B4 and 2<\/figcaption><\/figure>\n<p>In another sample (SHA-256: 33744c420884adf582c46a4b74cbd9c145f2e15a036bb1e557e89d6fd428e724), the constants are the same:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"408\" height=\"113\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig4-String-decryption.png\" alt=\"Partial screenshot of a code-level analysis of a Hive sample.\" class=\"wp-image-117302\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig4-String-decryption.png 408w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig4-String-decryption-300x83.png 300w\" sizes=\"auto, (max-width: 408px) 100vw, 408px\" \/><figcaption>Figure 4 \u2013 String decryption in a different sample also using constants 0x71B4 and 2<\/figcaption><\/figure>\n<h3>Command-line parameters<\/h3>\n<p>In old Hive variants, the username and the password used to access the Hive ransom payment website are embedded in the samples. In the new variant, these credentials must be supplied in the command line under the <em>\u201c-u\u201d<\/em> parameter, which means that they can\u2019t be obtained by analysts from the sample itself.<\/p>\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig5-error.png\" alt=\"Partial screenshot of a command prompt showing an error message.\" class=\"wp-image-117305\" width=\"540\" height=\"104\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig5-error.png 720w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig5-error-300x58.png 300w\" sizes=\"auto, (max-width: 540px) 100vw, 540px\" \/><figcaption>Figure 5 &#8211; Without a username and a password, the sample won\u2019t continue its execution<\/figcaption><\/figure>\n<p>Like most modern ransomware, Hive introduces command-line parameters, which allow attackers flexibility when running the payload by adding or removing functionality. For example, an attacker can choose to encrypt files on remote shares or local files only or select the minimum file size for encryption. In the new Hive variant, we found the following parameters across different samples:<\/p>\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td><strong>Parameter<\/strong><\/td>\n<td><strong>Functionality<\/strong><\/td>\n<\/tr>\n<tr>\n<td>-no-local<\/td>\n<td>Don\u2019t encrypt local files<\/td>\n<\/tr>\n<tr>\n<td>-no-mounted<\/td>\n<td>Don\u2019t encrypt files on mounted network shares<\/td>\n<\/tr>\n<tr>\n<td>-no-discovery<\/td>\n<td>Don\u2019t discover network shares<\/td>\n<\/tr>\n<tr>\n<td>-local-only<\/td>\n<td>Encrypt only local files<\/td>\n<\/tr>\n<tr>\n<td>-network-only<\/td>\n<td>Encrypt only files on network shares<\/td>\n<\/tr>\n<tr>\n<td>-explicit-only<\/td>\n<td>Encrypt specific folder(s). For example, <em>\u2018-explicit-only c:mydocs c:myphotos\u2019<\/em><\/td>\n<\/tr>\n<tr>\n<td>-min-size<\/td>\n<td>Minimum file size, in bytes, to encrypt. For example, <em>\u2018-min-size 102400\u2019<\/em> will encrypt files with size equal or greater than 100kb<\/td>\n<\/tr>\n<tr>\n<td>-da<\/td>\n<td>[Usage is being analyzed.]<\/td>\n<\/tr>\n<tr>\n<td>-f<\/td>\n<td>[Usage is being analyzed.]<\/td>\n<\/tr>\n<tr>\n<td>-force<\/td>\n<td>[Usage is being analyzed.]<\/td>\n<\/tr>\n<tr>\n<td>-wmi<\/td>\n<td>[Usage is being analyzed.]<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Overall, it appears different versions have different parameters that are constantly updated. Unlike in previous variants where there was a <em>\u2018help\u2019<\/em> menu, in the new variant, the attacker must know the parameters beforehand. Since all strings are encrypted, it makes finding the parameters challenging for security researchers.<\/p>\n<h3>Stopped services and processes<\/h3>\n<p>Like most sophisticated malware, Hive stops services and processes associated with security solutions and other tools that might get in the way of its attack chain. Hive tries to impersonate the process tokens of <em>trustedinstaller.exe <\/em>and <em>winlogon.exe<\/em> so it can stop Microsoft Defender Antivirus, among other services.<\/p>\n<p>Hive stops the following services:<\/p>\n<pre class=\"wp-block-preformatted\">windefend, msmpsvc, kavsvc, antivirservice, zhudongfungyu, vmm, vmwp, sql, sap, oracle, mepocs, veeam, backup, vss, msexchange, mysql, sophos, pdfservice, backupexec, gxblr, gxvss, gxclmgrs, gxvcd, gxcimgr, gxmmm, gxvsshwprov, gxfwd, sap, qbcfmonitorservice, qbidpservice, acronisagent, veeam, mvarmor, acrsch2svc<\/pre>\n<p>It also stops the following processes:<\/p>\n<pre class=\"wp-block-preformatted\">dbsnmp, dbeng50, bedbh, excel, encsvc, visios, firefox, isqlplussvc, mspub, mydesktopqos, notepad, ocautoupds, ocomm, ocssd, onenote, outlook, sqbcoreservice, sql, steam, tbirdconfig, thunderbird, winword, wordpad, xfssvccon, vxmon, benetns, bengien, pvlsvr, raw_agent_svc, cagservice, sap, qbidpservice, qbcfmonitorservice, teamviewer_service, teamviewer, tv_w32, tv_x64, cvd, saphostexec, sapstartsrv, avscc, dellsystemdetect, enterpriseclient, veeam, thebat, cvfwd, cvods, vsnapvss, msaccess, vaultsvc, beserver, appinfo, qbdmgrn, avagent, spooler, powerpnt, cvmountd, synctime, oracle, wscsvc, winmgmt, *sql*<\/pre>\n<h3>Launched processes<\/h3>\n<p>As part of its ransomware activity, Hive typically runs processes that delete backups and prevent recovery. There are differences between versions, and some samples may not execute all these processes, but one sample that starts the most processes is SHA-256: 481dc99903aa270d286f559b17194b1a25deca8a64a5ec4f13a066637900221e:<\/p>\n<ul>\n<li><em>&#8220;vssadmin.exe delete shadows \/all \/quiet&#8221;<\/em><\/li>\n<li><em>&#8220;wmic.exe shadowcopy delete&#8221;<\/em><\/li>\n<li><em>&#8220;wbadmin.exe delete systemstatebackup&#8221;<\/em><\/li>\n<li><em>&#8220;wbadmin.exe delete catalog -quiet&#8221;<\/em><\/li>\n<li><em>&#8220;bcdedit.exe \/set {default} recoveryenabled No&#8221;<\/em><\/li>\n<li><em>&#8220;bcdedit.exe \/set {default} bootstatuspolicy ignoreallfailures&#8221;<\/em><\/li>\n<li><em>&#8220;wbadmin.exe delete systemstatebackup -keepVersions:3&#8221;<\/em><\/li>\n<\/ul>\n<h3>Ransom note<\/h3>\n<p>Hive\u2019s ransom note has also changed, with the new version referencing the <em>.key<\/em> files with their new file name convention and adding a sentence about virtual machines (VMs).<\/p>\n<p>The older variants had an embedded username and password (marked as <em>hidden<\/em>). In the new variant, the username and password are taken from the command line parameter <em>-u<\/em> and are labeled <em>test_hive_username and test_hive_password<\/em>.<\/p>\n<p>Old ransom note text:<\/p>\n<pre class=\"wp-block-preformatted\"> Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose.   To decrypt all the data and to prevent exfiltrated files to be disclosed at  http:\/\/hive[REDACTED].onion\/ you will need to purchase our decryption software.   Please contact our sales department at:      http:\/\/hive[REDACTED].onion\/          Login:    [REDACTED]       Password: [REDACTED]   To get an access to .onion websites download and install Tor Browser at:    https:\/\/www.torproject.org\/ (Tor Browser is not related to us)     Follow the guidelines below to avoid losing your data:   - Do not modify, rename or delete *.key.abc12 files. Your data will be     undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business.    They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key.     They also don't care about your business. They believe that they are     good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.<\/pre>\n<p>New ransom note text:<\/p>\n<pre class=\"wp-block-preformatted\">Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose.   To decrypt all the data and to prevent exfiltrated files to be disclosed at  http:\/\/hive[REDACTED].onion\/ you will need to purchase our decryption software.   Please contact our sales department at:      http:\/\/hive[REDACTED].onion\/         Login:    test_hive_username       Password: test_hive_password   To get an access to .onion websites download and install Tor Browser at:    https:\/\/www.torproject.org\/ (Tor Browser is not related to us)     Follow the guidelines below to avoid losing your data:   <strong>- Do not delete or reinstall VMs. There will be nothing to decrypt. - Do not modify, rename or delete *.key files. Your data will be     undecryptable.<\/strong> - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business.    They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key.     They also don't care about your business. They believe that they are     good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed. <\/pre>\n<h3>Encryption<\/h3>\n<p>The most interesting change in the Hive variant is its cryptography mechanism. The new variant was first uploaded to VirusTotal on February 21, 2022, just a few days after a group of researchers&nbsp;from Kookmin University in South Korea published the paper <a href=\"https:\/\/arxiv.org\/abs\/2202.08477\">\u201cA Method for Decrypting Data Infected with Hive Ransomware\u201d<\/a> on February 17, 2022. After a certain period of development, the new variant first appeared in Microsoft threat data on February 22.<\/p>\n<p>The new variant uses a different set of algorithms: Elliptic Curve Diffie-Hellmann (ECDH) with&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/Curve25519\">Curve25519<\/a> and&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/ChaCha20-Poly1305\">XChaCha20-Poly1305<\/a>&nbsp;(authenticated encryption with ChaCha20 symmetric cipher).<\/p>\n<p><strong>A unique encryption approach<\/strong><\/p>\n<p>The new Hive variant uses a unique approach to file encryption. Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension.<\/p>\n<p>To indicate which keys set was used to encrypt a file, the name of the .key file containing the corresponding encryption keys is added to the name of the encrypted file on disk, followed by an underscore and then a Base64 string (also adding underscore and hyphen to the character set). Once it\u2019s Base64-decoded, the string contains two offsets, with each offset pointing to a different location in the corresponding <em>.key<\/em> file. This way, the attacker can decrypt the file using these offsets.<\/p>\n<p>For example, after running Hive, we got the following files dropped to the <em>C: <\/em>drive:<\/p>\n<ul>\n<li><em>C:<\/em><em>3bcVwj6j.key<\/em><\/li>\n<li><em>C:l0Zn68cb.key<\/em><\/li>\n<\/ul>\n<p>In this example, a file named <em>myphoto.jpg<\/em> would be renamed to <em>C:myphoto.jpg.l0Zn68cb _<\/em><em> -B82BhIaGhI8<\/em>. As we discuss in the following sections, the new variant\u2019s keys set generation is entirely different from old variants. However, its actual file encryption is very similar.<\/p>\n<p><strong>Keys set<\/strong><strong> generation<\/strong><\/p>\n<p>A buffer of size 0xCFFF00 bytes is allocated. Using two custom functions to generate random bytes (labeled <em>\u201crandom_num_gen\u201d<\/em> and <em>\u201crandom_num_gen_2\u201d<\/em> for demonstration purposes) the buffer is filled. The first 0xA00000 bytes of this buffer are filled with random bytes and the remaining 0x2FFF00 bytes are simply copied from the first 0x2FFF00 random bytes that were copied earlier to the buffer.<\/p>\n<p>The content of each buffer is a keys set (a collection of symmetric keys). Since two buffers are allocated, there are two keys sets. In the encryption process, the malware randomly selects different keys (byte sequences) for each file from one of the keys set and uses them to encrypt the file by XORing the byte sequence of the keys with the file\u2019s content.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"835\" height=\"962\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig6-Original-keys-set-generation.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117308\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig6-Original-keys-set-generation.png 835w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig6-Original-keys-set-generation-260x300.png 260w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig6-Original-keys-set-generation-768x885.png 768w\" sizes=\"auto, (max-width: 835px) 100vw, 835px\" \/><figcaption>Figure 6 &#8211; Original keys set generation<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"368\" height=\"520\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig7-Inside-get-random-byte.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117311\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig7-Inside-get-random-byte.png 368w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig7-Inside-get-random-byte-212x300.png 212w\" sizes=\"auto, (max-width: 368px) 100vw, 368px\" \/><figcaption>Figure 7 &#8211; Inside get_random_byte<\/figcaption><\/figure>\n<p>A custom 64-byte hash is prepared for each keys set. This hash will be used later.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"685\" height=\"601\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/FIg8-preparing-the-custom-hash.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117314\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/FIg8-preparing-the-custom-hash.png 685w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/FIg8-preparing-the-custom-hash-300x263.png 300w\" sizes=\"auto, (max-width: 685px) 100vw, 685px\" \/><figcaption>Figure 8 &#8211; Preparing the custom hash of the keys set<\/figcaption><\/figure>\n<p>After the hash is computed and several other strings are decrypted, the encryption process takes the following steps:<\/p>\n<ol type=\"1\">\n<li>Generate <em>victim_private_key<\/em> using the same functions introduced above.<\/li>\n<\/ol>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"517\" height=\"617\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig9-Generating-victim_private_key.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117317\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig9-Generating-victim_private_key.png 517w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig9-Generating-victim_private_key-251x300.png 251w\" sizes=\"auto, (max-width: 517px) 100vw, 517px\" \/><figcaption>Figure 9 \u2013 Generating victim_private_key<\/figcaption><\/figure>\n<\/div>\n<ol start=\"2\">\n<li>Generate <em>victim_public_key<\/em> using ECDH with Curve25519. The input is <em>victim_private_key<\/em> and the basepoint is 9 followed by 31 zeros (embedded in the sample).<\/li>\n<\/ol>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"604\" height=\"457\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig10-Generating-victim_public_key.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117320\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig10-Generating-victim_public_key.png 604w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig10-Generating-victim_public_key-300x227.png 300w\" sizes=\"auto, (max-width: 604px) 100vw, 604px\" \/><figcaption>Figure 10 \u2013 Generating victim_public_key<\/figcaption><\/figure>\n<\/div>\n<ol start=\"3\">\n<li>Generate a 24-byte nonce for the XChaCha algorithm, later in Poly1305-XChaCha20.<\/li>\n<\/ol>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"557\" height=\"278\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig11-Generating-24-byte-nonce.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117323\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig11-Generating-24-byte-nonce.png 557w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig11-Generating-24-byte-nonce-300x150.png 300w\" sizes=\"auto, (max-width: 557px) 100vw, 557px\" \/><figcaption>Figure 11 \u2013 Generating a 24-byte nonce<\/figcaption><\/figure>\n<\/div>\n<ol start=\"4\">\n<li>Generate <em>shared_secret<\/em> using ECDH with Curve25519. The input is <em>victim_private_key<\/em> and <em>hive_public_key<\/em>. Then, the <em>&nbsp;shared_secret<\/em> (as a key) with <em>hive_public_key<\/em> (as a nonce) is used to derive the <em>derived_key<\/em> using ChaCha20.<\/li>\n<\/ol>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"633\" height=\"289\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig12-Genreating-shared_secred.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117326\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig12-Genreating-shared_secred.png 633w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig12-Genreating-shared_secred-300x137.png 300w\" sizes=\"auto, (max-width: 633px) 100vw, 633px\" \/><figcaption>Figure 12 &#8211; Generating shared_secret<\/figcaption><\/figure>\n<\/div>\n<ol start=\"5\">\n<li>Encrypt the keys set using Poly1305-XChaCha20. The values used for the encryption are the keys set, <em>derived_key<\/em>, nonce, and the embedded associated data (AD). This function encrypts the keys set and adds a 16-byte authentication tag at the end of the buffer of the encrypted keys. It\u2019s unclear if the authentication tag is ever checked.<\/li>\n<\/ol>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"723\" height=\"145\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig13-Encrypting-the-keys-set.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117329\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig13-Encrypting-the-keys-set.png 723w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig13-Encrypting-the-keys-set-300x60.png 300w\" sizes=\"auto, (max-width: 723px) 100vw, 723px\" \/><figcaption>Figure 13 &#8211; Encrypting the keys set<\/figcaption><\/figure>\n<\/div>\n<p>Now that the keys set is finally encrypted, the nonce, <em>victim_public_key<\/em>, the now-encrypted keys set, and the authentication tag are copied to a new buffer, one after another. This buffer (which we label <em>encrypted_structure_1<\/em>) is treated as a new keys set, which is again encrypted using the same method described above but with a second <em>hive_public_key<\/em>. This time, the function outputs new nonce, <em>victim_private_key<\/em>, and others. Only the associated data is the same.<\/p>\n<p>Finally, the new buffer, which contains the <em>second_nonce<\/em>, <em>second_victim_public_key<\/em>, and the encrypted<em>encrypted_structure_1<\/em>, is written to the root of the drive it\u2019s encrypting (for example, <em>C:<\/em>). The <em>create_extension<\/em> function generates a Base64 string based on the first six bytes of the custom hash that was created earlier. This Base64 string serves as the file name, and the extension of the file is simply <em>\u201c.key\u201d<\/em>.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"710\" height=\"161\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig14-Generating-Base64-string.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117332\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig14-Generating-Base64-string.png 710w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig14-Generating-Base64-string-300x68.png 300w\" sizes=\"auto, (max-width: 710px) 100vw, 710px\" \/><figcaption>Figure 14 &#8211; Generating a Base64 string based on the first six bytes of the custom hash<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"521\" height=\"103\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig15-Using-Base64-string-as-filename.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117335\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig15-Using-Base64-string-as-filename.png 521w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig15-Using-Base64-string-as-filename-300x59.png 300w\" sizes=\"auto, (max-width: 521px) 100vw, 521px\" \/><figcaption>Figure 15 &#8211; Using the Base64 string as the file name<\/figcaption><\/figure>\n<p>The diagram below illustrates the encryption scheme described above:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"500\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig16-Keys-set-encryption-scheme-Hive-1024x500.png\" alt=\"Diagram containing icons and arrows illustrating the new Hive variant's encryption scheme.\" class=\"wp-image-117338\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig16-Keys-set-encryption-scheme-Hive-1024x500.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig16-Keys-set-encryption-scheme-Hive-300x147.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig16-Keys-set-encryption-scheme-Hive-768x375.png 768w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig16-Keys-set-encryption-scheme-Hive.png 1144w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Figure 16 \u2013 The keys set encryption scheme of the new Hive variant<\/figcaption><\/figure>\n<p>As seen in the diagram above, \u201cKeys sets encryption flow\u201d is executed twice. In the first round it is executed with the original keys set as an input. In the second round it is executed with the \u201cencrypted structure 1\u201d as an input. In its second execution, all other input values are different except the AD (associated data) and the Basepoint 9.<\/p>\n<p>Hence, the following values are new in the second execution: <em>victim_private_key<\/em>, <em>victim_public_key<\/em>, <em>hive_public_key<\/em>, <em>nonce<\/em>, <em>shared_secret<\/em> and <em>derived_key<\/em>.<\/p>\n<p><strong>File encryption<\/strong><\/p>\n<p>After both keys files are written to the disk, the multi-threaded file encryption starts. Before encrypting each file, the malware checks its name and extension against a list of strings. If there is a match, then the file will not be encrypted. For example, a file with .exe extension will not be encrypted if .exe is in the list of strings. It should be noted that this list is encrypted and decrypted during runtime.<\/p>\n<p>The same file encryption method seen in old variants is used in the new one: two random numbers are generated and used as offsets to the keys set. Each offset is four bytes:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"881\" height=\"773\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig17-Generating-offsets.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117341\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig17-Generating-offsets.png 881w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig17-Generating-offsets-300x263.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig17-Generating-offsets-768x674.png 768w\" sizes=\"auto, (max-width: 881px) 100vw, 881px\" \/><figcaption>Figure 17&nbsp;&#8211; Generating the offsets<\/figcaption><\/figure>\n<p>For the encryption, the file\u2019s content is XORed with bytes from the keys set, according to the offsets. The file bytes are XORed twice\u2014once according to the first offset and a second time according to the second offset. Files are encrypted in blocks of 0x100000 bytes, with the maximum number of blocks at 100. There is an interval between the encrypted blocks as defined by <em>block_space<\/em>. After the encryption is finished in memory, the encrypted data is written to the disk, overwriting the original file.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"714\" height=\"209\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig18-Calculation-of-number-of-blocks.png\" alt=\"Partial screenshot of a code snippet\" class=\"wp-image-117344\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig18-Calculation-of-number-of-blocks.png 714w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig18-Calculation-of-number-of-blocks-300x88.png 300w\" sizes=\"auto, (max-width: 714px) 100vw, 714px\" \/><figcaption>Figure 18 &#8211; Calculation of number of blocks<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"889\" height=\"117\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig19-Actual-encryption-of-file-bytes.png\" alt=\"Partial screenshot of a code snippet\" class=\"wp-image-117347\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig19-Actual-encryption-of-file-bytes.png 889w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig19-Actual-encryption-of-file-bytes-300x39.png 300w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig19-Actual-encryption-of-file-bytes-768x101.png 768w\" sizes=\"auto, (max-width: 889px) 100vw, 889px\" \/><figcaption>Figure 19&nbsp;&#8211; Actual encryption of the file bytes<\/figcaption><\/figure>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"594\" height=\"1024\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig20-Reading-encrypting-writing-back-file-594x1024.png\" alt=\"Partial screenshot of a Hive variant's encryption technique in assembly code.\" class=\"wp-image-117350\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig20-Reading-encrypting-writing-back-file-594x1024.png 594w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig20-Reading-encrypting-writing-back-file-174x300.png 174w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig20-Reading-encrypting-writing-back-file.png 741w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><figcaption>Figure 20 &#8211; Reading a file, encrypting <a>it,<\/a> and writing it back to the disk<\/figcaption><\/figure>\n<p>Looking at when <em>create_extension<\/em> is called once file encryption has started, we recognized a similar structure in the previous variant:<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"573\" height=\"364\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig21-Creating-file-extension.png\" alt=\"Partial screenshot of a Hive variant's structure in assembly code.\" class=\"wp-image-117353\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig21-Creating-file-extension.png 573w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig21-Creating-file-extension-300x191.png 300w\" sizes=\"auto, (max-width: 573px) 100vw, 573px\" \/><figcaption>Figure 21&nbsp;&#8211; Creating the extension for the file<\/figcaption><\/figure>\n<p>Let us look at the value (72 D7 A7 A3 F5 5B FF EF 21 6B 11 7C 2A 18 CD 00) in the address of r9 register just before <em>create_extension<\/em> is called on a file called <em>EDBtmp.log<\/em><\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"594\" height=\"36\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig22.png\" alt=\"Partial screenshot of a hexadecimal value\" class=\"wp-image-117356\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig22.png 594w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig22-300x18.png 300w\" sizes=\"auto, (max-width: 594px) 100vw, 594px\" \/><\/figure>\n<p>Recall that in the older variants, 0xFF was used as a delimiter to separate the key file name from the offset values<a>. <\/a>We can also see it here. Converting the first six bytes (72 D7 A7 A3 F5 5B) to Base64 yields the following:<\/p>\n<pre class=\"wp-block-preformatted\">cteno\/Vb<\/pre>\n<p>And if we step over <em>create_extension<\/em>, the result is similar\u2014we get <em>cteno_Vb<\/em> as the <em>.key<\/em> file name (note: Since Hive uses a different Base64 character set, \u201c\/\u201d was replaced with \u201c_\u201d):<\/p>\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig23.png\" alt=\"Partial screenshot of hexadecimal values\" class=\"wp-image-117359\" width=\"688\" height=\"39\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig23.png 688w, https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2022\/07\/Fig23-300x17.png 300w\" sizes=\"auto, (max-width: 688px) 100vw, 688px\" \/><\/figure>\n<p>Microsoft will continue to monitor the Hive operators\u2019 activity and implement protections for our customers. The current detections, advanced detections, and indicators of compromise (IOCs) in place across our security products are detailed below.<\/p>\n<h1>Recommended customer actions<\/h1>\n<p>The techniques used by the new Hive variant can be mitigated by adopting the security considerations provided below:<\/p>\n<ul>\n<li>Use the included IOCs to investigate whether they exist in your environment and assess for potential intrusion.<\/li>\n<\/ul>\n<p>Our recent <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/\">blog on the ransomware-as-a-service economy<\/a> has an exhaustive guide on how to protect yourself from ransomware threats that dive deep into each of the following areas. We encourage readers to refer to that blog for a comprehensive guide on:<\/p>\n<ul>\n<li>Building credential hygiene<\/li>\n<li>Auditing credential exposure<\/li>\n<li>Prioritizing deployment of Active Directory updates<\/li>\n<li>Cloud hardening\n<ul>\n<li>Implement the&nbsp;<a href=\"https:\/\/docs.microsoft.com\/security\/benchmark\/azure\/\">Azure Security Benchmark<\/a>&nbsp;and general&nbsp;<a href=\"https:\/\/docs.microsoft.com\/azure\/security\/fundamentals\/identity-management-best-practices\">best practices for securing identity infrastructure<\/a>.<\/li>\n<li>Ensure cloud admins\/tenant admins are treated with&nbsp;<a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/roles\/best-practices\">the same level of security and credential hygiene<\/a>&nbsp;as Domain Admins.<\/li>\n<li>Address&nbsp;<a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/authentication\/how-to-authentication-find-coverage-gaps\">gaps in authentication coverage<\/a>.<\/li>\n<\/ul>\n<\/li>\n<li>Enforce MFA on all accounts, remove users excluded from MFA, and strictly r<a href=\"https:\/\/docs.microsoft.com\/azure\/active-directory\/identity-protection\/howto-identity-protection-configure-mfa-policy\">equire MFA<\/a>&nbsp;from all devices, in all locations, at all times.<\/li>\n<li>Enable passwordless authentication methods (for example, Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts that support passwordless. For accounts that still require passwords, use authenticator apps like Microsoft Authenticator for MFA.<\/li>\n<li>Disable legacy authentication.<\/li>\n<\/ul>\n<p>For&nbsp;Microsoft 365&nbsp;Defender customers, the following checklist eliminates security blind spots:<\/p>\n<ul>\n<li>Turn on&nbsp;<a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide\">cloud-delivered protection<\/a>&nbsp;in Microsoft Defender Antivirus to cover rapidly evolving attacker tools and techniques, block new and unknown malware variants, and enhance attack surface reduction rules and tamper protection.<\/li>\n<li>Turn on&nbsp;<a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide\">tamper protection<\/a>&nbsp;features to prevent attackers from stopping security services.<\/li>\n<li>Run&nbsp;<a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/edr-in-block-mode?view=o365-worldwide\">EDR in block mode<\/a>&nbsp;so that Microsoft Defender for Endpoint can block malicious artifacts, even when a non-Microsoft antivirus doesn\u2019t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode also blocks indicators identified proactively by Microsoft Threat Intelligence teams.<\/li>\n<li>Enable&nbsp;<a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/enable-network-protection?view=o365-worldwide\">network protection<\/a>&nbsp;to prevent applications or users from accessing malicious domains and other malicious content on the internet.<\/li>\n<li>Enable&nbsp;<a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/automated-investigations?view=o365-worldwide\">investigation and remediation<\/a>&nbsp;in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches.<\/li>\n<li>Use&nbsp;<a href=\"https:\/\/docs.microsoft.com\/microsoft-365\/security\/defender-endpoint\/device-discovery?view=o365-worldwide\">device discovery<\/a>&nbsp;to increase visibility into the network by finding unmanaged devices and onboarding them to Microsoft Defender for Endpoint.<\/li>\n<li><a href=\"https:\/\/docs.microsoft.com\/defender-for-identity\/what-is\">Protect user identities and credentials<\/a>&nbsp;using Microsoft Defender for Identity, a cloud-based security solution that leverages on-premises Active Directory signals to monitor and analyze user behavior to identify suspicious user activities, configuration issues, and active attacks.<\/li>\n<\/ul>\n<h2>Indicators of compromise (IOCs)<\/h2>\n<p>The below list provides a partial list of the IOCs observed during our investigation and included in this blog. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.<\/p>\n<figure class=\"wp-block-table\">\n<table>\n<tbody>\n<tr>\n<td><strong>Indicator<\/strong><\/td>\n<td><strong>Type<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3<\/td>\n<td>SHA-256<\/td>\n<td>Hive Rust variant payload<\/td>\n<\/tr>\n<tr>\n<td>88b1d8a85bf9101bc336b01b9af4345ed91d3ec761554d167fe59f73af73f037<\/td>\n<td>SHA-256<\/td>\n<td>Hive Rust variant payload<\/td>\n<\/tr>\n<tr>\n<td>065208b037a2691eb75a14f97bdbd9914122655d42f6249d2cca419a1e4ba6f1<\/td>\n<td>SHA-256<\/td>\n<td>Hive Rust variant payload<\/td>\n<\/tr>\n<tr>\n<td>33744c420884adf582c46a4b74cbd9c145f2e15a036bb1e557e89d6fd428e724<\/td>\n<td>SHA-256<\/td>\n<td>Hive Rust variant payload<\/td>\n<\/tr>\n<tr>\n<td>afab34235b7f170150f180c7afb9e3b4e504a84559bbd03ab71e64e3b6541149<\/td>\n<td>SHA-256<\/td>\n<td>Hive Rust variant payload<\/td>\n<\/tr>\n<tr>\n<td>36759cab7043cd7561ac6c3968832b30c9a442eff4d536e901d4ff70aef4d32d<\/td>\n<td>SHA-256<\/td>\n<td>Hive Rust variant payload<\/td>\n<\/tr>\n<tr>\n<td>481dc99903aa270d286f559b17194b1a25deca8a64a5ec4f13a066637900221e<\/td>\n<td>SHA-256<\/td>\n<td>Hive Rust variant payload<\/td>\n<\/tr>\n<tr>\n<td>6e5d49f604730ef4c05cfe3f64a7790242e71b4ecf1dc5109d32e811acf0b053<\/td>\n<td>SHA-256<\/td>\n<td>Hive Rust variant payload<\/td>\n<\/tr>\n<tr>\n<td>32ff0e5d87ec16544b6ff936d6fd58023925c3bdabaf962c492f6b078cb01914<\/td>\n<td>SHA-256<\/td>\n<td>Hive Rust variant payload<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>NOTE:<\/strong> These indicators shouldn\u2019t be considered exhaustive for this observed activity.<\/p>\n<h2>Detections<\/h2>\n<h3>Microsoft 365 Defender<\/h3>\n<p><strong>Microsoft Defender Antivirus<\/strong><\/p>\n<p>Microsoft Defender Antivirus provides detection for this threat under the following family names with build version 1.367.405.0 or later.<\/p>\n<ul>\n<li>Ransom:Win64\/Hive<\/li>\n<li>Ransom:Win32\/Hive<\/li>\n<\/ul>\n<p><strong>Microsoft Defender for Endpoint detection<\/strong><\/p>\n<p>Microsoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication of possible attack. These alerts are not necessarily an indication of a Hive compromise, but should be investigated:<\/p>\n<ul>\n<li>Ransomware behavior detected in the file system<\/li>\n<li>File backups were deleted<\/li>\n<li>Possible ransomware infection modifying multiple files<\/li>\n<li>Possible ransomware activity<\/li>\n<li>Ransomware-linked emerging threat activity group detected<\/li>\n<\/ul>\n<h2>Advanced hunting queries<\/h2>\n<h3>Microsoft Sentinel<\/h3>\n<p>To locate possible Hive ransomware activity mentioned in this blog post, Microsoft Sentinel customers can use the queries detailed below:<\/p>\n<p><strong>Identify Hive ransomware IOCs<\/strong><\/p>\n<p>This query identifies a match across various data feeds for IOCs related to Hive ransomware.<\/p>\n<p><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/MultipleDataSources\/HiveRansomwareJuly2022.yaml\">https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/MultipleDataSources\/HiveRansomwareJuly2022.yaml<\/a><\/p>\n<p><strong>Identify backup deletion<\/strong><\/p>\n<p>This hunting query helps detect a ransomware&#8217;s attempt to delete backup files.<\/p>\n<p><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Hunting%20Queries\/MultipleDataSources\/BackupDeletion.yaml\">https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Hunting%20Queries\/MultipleDataSources\/BackupDeletion.yaml<\/a><\/p>\n<p><strong>Identify Microsoft Defender Antivirus detection of Hive ransomware<\/strong><\/p>\n<p>This query looks for Microsoft Defender Antivirus detections related to the Hive ransomware and joins the alert with other data sources to surface additional information such as device, IP, signed-in users, etc.<\/p>\n<p><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/SecurityAlert\/HiveRansomwareAVHits.yaml\">https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/SecurityAlert\/HiveRansomwareAVHits.yaml<\/a><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/07\/05\/hive-ransomware-gets-upgrades-in-rust\/\">Hive ransomware gets upgrades in Rust<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/07\/05\/hive-ransomware-gets-upgrades-in-rust\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Microsoft 365 Defender Threat Intelligence Team| Date: Tue, 05 Jul 2022 16:00:00 +0000<\/strong><\/p>\n<p>With its latest variant carrying several major upgrades, Hive proves it\u2019s one of the fastest evolving ransomware payload, exemplifying the continuously changing ransomware ecosystem. <\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/07\/05\/hive-ransomware-gets-upgrades-in-rust\/\">Hive ransomware gets upgrades in Rust<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.microsoft.com\/security\/blog\">Microsoft Security Blog<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[4500,25098,22453,26865,3765,11598],"class_list":["post-19515","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-cybersecurity","tag-hive","tag-microsoft-security-intelligence","tag-mstic","tag-ransomware","tag-ransomware-as-a-service"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19515"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19515\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}