In the past year, ransomware attacks have increased significantly. They represent one of hackers’ preferred methods for maximizing profits, but can lead to reputational damage, disruptions to business operations, data loss, stock price drops and legal consequences.

At present, an affiliate of the notorious Hive ransomware group is exploiting known vulnerabilities in Microsoft Exchange servers in order to launch ransomware attacks. Once the attacks hit targets, the attacker threatens to encrypt, exfiltrate and publicly disclose targets’ privately owned data.

Unnamed enterprise attack

In a recent incident involving an unnamed organization, the Hive affiliate compromised several devices and file servers through the exploitation of the ProxyShell vulnerabilities in Exchange servers. Within 72 hours, data was irreconcilably encrypted.

This attack included typical Hive hallmarks – data encrypting malware and threat of public disclosure. On occasion, the group has included a third threat, saying that they will erase all data in the event that a ransom request goes unpaid.

Hive ransomware attackers

The Hive ransomware group first emerged in June of 2021. Since then, Hive has targeted a range of sectors, including healthcare, nonprofit, retail, and energy. Last week, the US Health and Human Services (HHS) agency sent out a warning to healthcare providers regarding the Hive threat.

In the short time since launch, Hive has established itself as a particularly aggressive organization. According to one report, Hive ranks as the fourth-most active ransomware operator in existence. As many as 335 ransomware attacks have been attributed to Hive or Hive affiliates.

Hive operates using the Ransomware-as-a-Service model. In other words, Hive leases its technology to ‘smaller’ cyber criminals, who then deploy the technology against organizations. Hive takes a cut of the ransom profits.

Technical details

Hive attacks focus on ProxyShell Remote Code Execution (RCE) vulnerabilities. Other threat groups, including Conti, have also been known to use these types of vulnerabilities. While Microsoft patched the flaw more than a year ago, not all organizations updated their Exchange Servers.

After vulnerability exploit, the Hive affiliate deploys a backdoor webshell that executes malicious PowerShell code in compromised systems (with SYSTEM privileges). This is followed by additional stagers from a command-and-control (C2) server linked to the Cobalt Strike framework. One element of the framework includes an additional obfuscated PowerShell script. The hacker then takes control over the domain administrator account and moves laterally through the network.

Observed hacker activities include searching for files labeled with the word “password,” dropping network scanners, and collecting networks’ IP addresses and device names, according to cyber security researchers. Further, investigative clues led researchers to believe that the Hive affiliate attempts to ensure access to critical servers ahead of ransomware deployment.

How to avoid Hive ransomware

Worried about Hive? Pursue various means of protecting your organization against Hive and Hive affiliate threats. Address the threat by:

  • Updating Exchange servers with the latest Exchange cumulative and security patches from Microsoft
  • Mandating the use of complex passwords
  • Ensuring that employees rotate passwords on a regular basis
  • Revoking local administrative permissions from domain accounts
  • Removing inactive user accounts

In closing

Many businesses remain unable to survive the impact of a ransomware attack. Ensure that your enterprise has the right policies, procedures, and technologies in-place in order to protect your systems, employees and clients. Take a proactive stance against this Exchange server attack and against ransomware attacks at-large.

For more information about Exchange server attacks and ransomware, click here. Lastly, to receive more cutting-edge cyber security news,  best practices and analyses, please sign up for the CyberTalk.org newsletter.