Summary
Most ransomware groups operating in the RaaS (Ransomware-as-a-Service) model have an internal code of ethics that includes avoiding breaching some specific sectors, such as hospitals or critical infrastructure, thus avoiding great harm to society and consequently drawing less attention from law enforcement. For example, the BlackMatter ransomware states they are not willing to attack hospitals, critical infrastructure, defense industry, non-profit companies, and oil and gas industry targets, having learned from the mistakes of other groups, such as DarkSide, who shut down its operations after the Colonial Pipeline attack.
However, this code of ethics is not always adopted by attackers, as is the case with Hive, a new family of ransomware discovered in June 2021. On August 15, 2021, Hive ransomware was responsible for an attack against the Memorial Health System, a non-profit integrated health system with three hospitals in Ohio and West Virginia (Marietta Memorial Hospital, Selby General Hospital, and Sistersville General Hospital), causing radiology exams and surgical cases to be canceled. According to the FBI, the group uses phishing emails with malicious attachments to gain access into networks, allowing the attackers to move laterally over the network to steal data and infect more machines.
HiveLeaks
In addition to encrypting files, Hive also steals sensitive data from networks, threatening to publish everything in their HiveLeak website, hosted on the deep web, which is a common practice among ransomware working in this double extortion scheme.
There are two websites maintained by the group, the first one is protected by username and password, accessible only by the victims who obtain the credentials in the ransom note.
Once authenticated, the victim can see:
- The name of the infected organization;
- A live chat, where the victim can interact with the attackers;
- A file upload system, where the victim can send files to the attackers;
- A link to Hive’s decryption software, if the ransom is paid by the victims.
The second website, “HiveLeaks,” is where the attackers publish data about their targets and is publicly accessible.
For each target, you can see the name, a small description, the website, the revenue, and the number of employees at the company. Also, you can see two dates, when the files were encrypted and when the attack was made public. Curiously enough, there are also two social media buttons where you can share this information.
If any data is published by the attackers, you will also find a link where the files can be downloaded. Hive uses common file-sharing services for this purpose, such as PrivatLab, AnonFiles, MEGA, UFile, SendSpace, and Exploit.in, as shown in Figure 05.
Memorial Health System Attack
The Hive ransomware infected the Memorial Health System (MHS) on August 15, 2021. The attackers claim to have stolen patient data including names, social security numbers, dates of birth, addresses and phone numbers, and medical histories for 200,000 patients, and an additional 1.2 TB of other data.
MHS tried to appeal to the attackers to provide the decrypter for free but ultimately ended up paying 1.8M, divided equally into two Bitcoin wallets. The attackers moved the Bitcoins to another wallet just a few minutes after the transaction was made by MHS.
Aside from the decryptor, the attackers also promise a security report, a file tree describing all stolen data, and the logs proving that they had erased everything from their servers.
Analysis
The ransomware was written in Go, an open-source programming language that allows cross-compilation, meaning that the same source code can be compiled to different OS, such as Linux, Windows, and macOS.
Although we have only seen Windows versions in the wild at this point, we have strong indications that the group is able to infect other systems such as Linux, as well as the Hypervisor ESXi, as we will demonstrate later in the analysis.
We have analyzed two different samples, being 32 and 64-bit Windows versions of the malware. Both of them are packed with UPX, which is an open-source executable packer.
The first thing we noticed is that both samples we analyzed had a command line interface (CLI), accepting parameters and also showing log messages throughout the malware execution.
The 64-bit sample accepts two parameters:
- kill: Kill processes specified as value (case insensitive regex)
- stop: Stop services specified as value (case insensitive regex)
On the other hand, the 32-bit sample offers three more options:
- kill: Kill processes specified as value (case insensitive regex)
- no-clean: Do not clean disk space (described later in this analysis)
- skip: Files that the attacker doesn’t want to encrypt (case insensitive regex)
- skip-before: Skips files created before the specified date.
stop: Stop services specified as value (case insensitive regex)