Analytics company Varonis found one of its customers had multiple devices and file servers compromised and encrypted by the threat group known as Hive. The initial indicator of compromise was the successful exploitation of Microsoft Exchange via vulnerabilities known as ProxyShell.
- Hive is built for distribution in a Ransomware-as-a-service model that enables affiliates to utilize it as desired. The variant uses common ransomware tactics, techniques, and procedures (TTPs) to compromise victims’ devices. While taking live actions, the operator disables anti-malware protections and then exfiltrates sensitive data and encrypts business files. Their affiliates use multiple mechanisms to compromise their victims’ networks, including phishing emails with malicious attachments, leaked VPN credentials, and by exploiting vulnerabilities on external-facing assets. In addition, Hive places a plain-text ransom note that threatens to publish the victim’s data on the TOR website ‘HiveLeaks’ unless the victim meets the attacker’s conditions.