According to a report from the Varonis Forensics Team, the Hive ransomware is being used in new attacks against Microsoft Exchange Server. It you are unfamiliar with Hive, it is a ransomware-as-a-service. Microsoft has been patching Exchange Servers for over a year to protect against ransomware attacks. That means many organizations are protected, but others did not install the fix. Those remaining vulnerabilities are the target of Hive, which is using ProxyShell flaws to access SYSTEM privileges. When access is given, Hive runs a PowerShell script that sends a Cobalt Strike. You may remember Cobalt Strike was used to attack SQL Servers earlier this year. The backdoor creates a system administrator called “user” on vulnerable Exchange Servers.
Attack
Next, the Minikatz tool is used to take the NTLM hash of a domain admin to get control of the account. The attack finalizes when a ransomware known as “windows.exe” is placed on the system to steal files, clear event logs, and shutdown security. A note highlights that the victim must contact Hive and follow these instructions:
“Do not modify, rename or delete *.key. files. Your data will be undecryptable. Do not modify or rename encrypted files. You will lose them. Do not report to the Police, FBI, etc. They don’t care about your business. They simply won’t allow you to pay. As a result you will lose everything. Do not hire a recovery company. They can’t decrypt without the key. They also don’t care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. Do not reject to (sic) purchase. Exfiltrated files will be publicly disclosed.”
Tip of the day: Whether it’s for a presentation, song, or YouTube video, at some point in your life you’ll need to record audio from your computer. Windows 11 has multiple options to record sound due to its litany of apps. In our tutorial, we show you how to record audio using the built-in Windows 10 Voice Recorder and the freeware audio editor Audacity.
