A new threat group named Hive who deploy a ransomware variant of the same name have begun to ramp-up operations around the globe. Notable recent intrusions in North America have propelled this group into the sights of the cyber security community.
As a modern EDR solution FortiEDR provides protection from new ransomware variants such as Hive straight out of the box. Even with an unknown sample, pre-execution detection rules allow FortiEDR to block file access before the Hive sample can execute and post-exploitation detection rules allow FortiEDR to block post-exploitation of the Hive sample to prevent the ransomware from impacting the end user’s system or stored information. This article focusses on how the FortiEDR protects endpoints from pre and post exploitation activity associated with the Hive ransomware. FortiEDR also provides protection from the TTPs used in the stages of the kill chain that lead to the deployment of Hive ransomware in a targeted environment.
For more information on these whole of kill chain mitigations read through some other FortiEDR articles or engage the local Fortinet rep for any specific coverage questions.
FortiEDR prevents Hive ransomware from being executed in prevention mode as soon as the Hive executable is accessed by the operating system. FortiEDR detects and classifies files like Hive as malicious based on automated analysis which incorporates signature based detection, machine learning analysis of code characteristics and sandbox analysis in Fortinet Cloud Services (FCS). Details of this automated analysis can be found through the ‘Automated Analysis’ tab on the Event Viewer page.
Figure 1. FortiEDR pre-execution detection of Hive ransomware.
Let's see how FortiEDR detects and blocks this ransomware by switching to simulation mode. In simulation mode, FortiEDR generates events but does not block them, allowing the Hive ransomware to fully execute which allows us to demonstrate the scope of behavioural detections and blocks that are applied by FortiEDR and the layers of rules that protect defended endpoints.
Hive ransomware attempts to access system services such as the Volume Shadow Copy service and Windows Defender Services to disable system backups and degrade the security posture of the secured endpoint. FortiEDR detects and would block service access such as this by the Hive sample as demonstrated in the below events if it were in protect mode.
Figure 2. FortiEDR post-exploitation detection of Hive ransomware attempting to access system services following execution.
File Rename Attempt
Hive ransomware tries to delete itself from the initial location where it first executes as a defensive evasion technique. FortiEDR detects and would block file delete and rename attempts such as this by the Hive sample as demonstrated in the below events if it were in protect mode. The batch file used to execute this file rename contains the following commands:
timeout 1 || sleep 1
del "<initial path>\<ransomware_name>.exe"
if exist "<initial path>\<ransomware_name>.exe" goto Repeat
Figure 3. FortiEDR post-exploitation detection of Hive ransomware attempting to rename itself for defensive evasion.
Hive ransomware drops a copy of the ransom note, 'HOW_TO_DECRYPT.txt' in every accessible folder. The contents of the ransom note clearly indicate the affiliation to the Hive group given the links to the ‘hivecust’ (customer portal) and ‘hiveleaks’ (discloser page) webpages.
Figure 4. FortiEDR post-exploitation detection of Hive ransomware writing ransomware notes to targeted directories. Also shown, FortiEDR threat hunting used to scope file creation events throughout environment.
Figure 5. Screenshot of a ransomware note dropped by Hive ransomware. This will differ slightly between victims.
File Write AccessHive ransomware uses internal functions to encrypt files in all accessible folders. In the example events below, FortiEDR detects and would block these file encryption operations if it was in protect mode protecting contained data.
Figure 6. FortiEDR post-exploitation detection of Hive ransomware attempting to encrypt files on an endpoint following execution.
To search for the ransom note:
Type: ("File Create") AND Target.File.Name: ("HOW_TO_DECRYPT.txt")
To search for encrypted files with the extension name 'hive':
Type: ("File Create") AND Target.File.Ext:("hive")
To search for execution of hive.bat batch file that is used to try to delete the orginal hive ransomware executable:
Type: ("Process Creation") AND Target.Process.File.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/c hive.bat \>NUL 2\>NUL")
To search for the creation of hive.bat file:
Type: ("File Create") AND Target.File.Name: ("hive.bat")
To search for execution of shadow.bat batch file that is used to try to delete the volume’s shadow copies:
Type: ("Process Creation") AND Target.Process.File.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/c shadow.bat \>NUL 2\>NUL")
To search for the creation of shadow.bat file:
Type: ("File Create") AND Target.File.Name: ("shadow.bat")
TA0002 - Execution
Command and Scripting Interpreter: Windows Command Shell
Hive ransomware uses cmd.exe to execute its batch files such as “shadow.bat” and “hive.bat”.
TA0005 - Defense Evasion
Indicator Removal on Host: File Deletion
Hive ransomware tries to delete itself to avoid detection. It also deletes the batch files such as “shadow.bat” and “hive.bat”.
TA0040 - Impact
Inhibit System Recovery
Hive ransomware tries to delete the shadow copies by executing the command, “vssadmin.exe delete shadows /all /quiet”.
TA0040 - Impact
Data Encrypted for Impact
Similar to common ransomware, Hive encrypts files in every accessible folder.
The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts continues to monitor and update this article as new information is discovered.