FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
gthirugnanasa
Article Id 192589

Introduction
A new threat group named Hive who deploy a ransomware variant of the same name have begun to ramp-up operations around the globe. Notable recent intrusions in North America have propelled this group into the sights of the cyber security community.

As a modern EDR solution FortiEDR provides protection from new ransomware variants such as Hive straight out of the box. Even with an unknown sample, pre-execution detection rules allow FortiEDR to block file access before the Hive sample can execute and post-exploitation detection rules allow FortiEDR to block post-exploitation of the Hive sample to prevent the ransomware from impacting the end user’s system or stored information. 
This article focusses on how the FortiEDR protects endpoints from pre and post exploitation activity associated with the Hive ransomware. FortiEDR also provides protection from the TTPs used in the stages of the kill chain that lead to the deployment of Hive ransomware in a targeted environment.

For more information on these whole of kill chain mitigations read through some other FortiEDR articles or engage the local Fortinet rep for any specific coverage questions.

 

Pre-Execution

 

FortiEDR prevents Hive ransomware from being executed in prevention mode as soon as the Hive executable is accessed by the operating system. FortiEDR detects and classifies files like Hive as malicious based on automated analysis which incorporates signature based detection, machine learning analysis of code characteristics and sandbox analysis in Fortinet Cloud Services (FCS). Details of this automated analysis can be found through the ‘Automated Analysis’ tab on the Event Viewer page.

 

 

Figure 1. FortiEDR pre-execution detection of Hive ransomware.

 

Post-Execution

 

Let's see how FortiEDR detects and blocks this ransomware by switching to simulation mode. In simulation mode, FortiEDR generates events but does not block them, allowing the Hive ransomware to fully execute which allows us to demonstrate the scope of behavioural detections and blocks that are applied by FortiEDR and the layers of rules that protect defended endpoints.

 

Service Access

 

Hive ransomware attempts to access system services such as the Volume Shadow Copy service and Windows Defender Services to disable system backups and degrade the security posture of the secured endpoint. FortiEDR detects and would block service access such as this by the Hive sample as demonstrated in the below events if it were in protect mode.


 

Figure 2. FortiEDR post-exploitation detection of Hive ransomware attempting to access system services following execution.

 

File Rename Attempt

 

Hive ransomware tries to delete itself from the initial location where it first executes as a defensive evasion technique. FortiEDR detects and would block file delete and rename attempts such as this by the Hive sample as demonstrated in the below events if it were in protect mode. The batch file used to execute this file rename contains the following commands:

:Repeat
timeout 1 || sleep 1
del "<initial path>\<ransomware_name>.exe"
if exist "<initial path>\<ransomware_name>.exe" goto Repeat
del "hive.bat"
 
 

 
Figure 3. FortiEDR post-exploitation detection of Hive ransomware attempting to rename itself for defensive evasion.

 

File Creation
 
Hive ransomware drops a copy of the ransom note, 'HOW_TO_DECRYPT.txt' in every accessible folder. The contents of the ransom note clearly indicate the affiliation to the Hive group given the links to the ‘hivecust’ (customer portal) and ‘hiveleaks’ (discloser page) webpages.

 

Figure 4. FortiEDR post-exploitation detection of Hive ransomware writing ransomware notes to targeted directories. Also shown, FortiEDR threat hunting used to scope file creation events throughout environment.
 
Ransom Note
 
'
 
Figure 5. Screenshot of a ransomware note dropped by Hive ransomware. This will differ slightly between victims.
 
File Write Access
 
Hive ransomware uses internal functions to encrypt files in all accessible folders. In the example events below, FortiEDR detects and would block these file encryption operations if it was in protect mode protecting contained data.
 
 
Figure 6. FortiEDR post-exploitation detection of Hive ransomware attempting to encrypt files on an endpoint following execution.
 

Threat Hunting

 

To search for the ransom note:

Type: ("File Create") AND Target.File.Name: ("HOW_TO_DECRYPT.txt")

To search for encrypted files with the extension name 'hive':

Type: ("File Create") AND Target.File.Ext:("hive")

To search for execution of hive.bat batch file that is used to try to delete the orginal hive ransomware executable:

Type: ("Process Creation") AND Target.Process.File.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/c hive.bat \>NUL 2\>NUL")

To search for the creation of hive.bat file:

Type: ("File Create") AND Target.File.Name: ("hive.bat")

To search for execution of shadow.bat batch file that is used to try to delete the volume’s shadow copies:

Type: ("Process Creation") AND Target.Process.File.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/c shadow.bat \>NUL 2\>NUL")

To search for the creation of shadow.bat file:

Type: ("File Create") AND Target.File.Name: ("shadow.bat")

MITRE ATT&CK

                    

TA0002 - Execution

 

Technique ID

 

Technique Description

 

Observed Activity

 

T1059.003

 

Command and Scripting Interpreter: Windows Command Shell

 

Hive ransomware uses cmd.exe to execute its batch files such as “shadow.bat” and “hive.bat”.

 

 

TA0005 - Defense Evasion

 

Technique ID

 

Technique Description

 

Observed Activity

 

T1070.004

 

Indicator Removal on Host: File Deletion

 

Hive ransomware tries to delete itself to avoid detection. It also deletes the batch files such as “shadow.bat” and “hive.bat”.

 

 

TA0040 - Impact

 

Technique ID

 

Technique Description

 

Observed Activity

 

T1490

 

Inhibit System Recovery

 

Hive ransomware tries to delete the shadow copies by executing the command, “vssadmin.exe delete shadows /all /quiet”.

 

TA0040 - Impact

 

Technique ID

 

Technique Description

 

Observed Activity

 

T1486

 

Data Encrypted for Impact

 

Similar to common ransomware, Hive encrypts files in every accessible folder.

 

IOC

 

77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618(ransomware)

 

The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts continues to monitor and update this article as new information is discovered.