/
Ransomware Containment

Hive Ransomware: How to Limit Its Sting with Illumio Zero Trust Segmentation

The Hive ransomware group has been active since mid-2021, gaining notoriety through the attack on the Memorial Health System. As Hive's most prominent incident to date, the attack shut down Memorial's entire online platform, forcing the organization to redirect emergency care patients to facilities outside its network. This year alone, it is the third ransomware attack that has directly affected civilians — following those on Colonial Pipeline and JBS Foods.

What differentiates Hive from less sophisticated ransomware attackers who commonly adopt a "spray and pray" approach (i.e., lockout as many systems as possible in the fastest time with little interest in data compromise)?

What is Hive ransomware?

The Hive ransomware group utilizes a "double extortion" play whereby they exfiltrate a target’s critical data before locking it up, using both as levers to drive up the cost of the ransom — a tactic that’s gaining traction amongst attackers.

Given that the attacker is focused both on disruption to operations and access to valuable data, there is a level of interaction and persistence required that goes beyond the more common disruption-focused ransomware attacks. This is likely because of the additional time and effort needed to discern what data is valuable enough to warrant exfiltration.

How Hive ransomware works

Hive uses a variety of tactics and techniques to execute an attack:

1. The attack begins with a phishing attack against users with access to the victim environment or by targeted emails that have the user unwittingly download the malicious payload.

2. The payload is often a Cobalt Strike (which interestingly started off as a tool used by pen testers when simulating attacks) beacon – these facilitate persistence, call back, lateral movement and delivery of the secondary payload.

3. What follows next is credential dumping on the local host and mapping the Active Directory environment.

4. Lateral movement and wider spread of the malware is facilitated by the use of Microsoft’s Remote Desktop Protocol (RDP). However, the Hive group has also been known to exploit vulnerabilities as a means of progressing their attack. A case in point is the exploit of a ConnectWise Automate endpoint management vulnerability, if that tool was found in the victim network – a further indication of the supply chain risk posed by software providers.

5. Download of the secondary payload is facilitated by instructions sent to the Cobalt Strike beacon after the outbound call-back channel is established. This payload executes the malicious actions that ultimately facilitate the ransom demand.

6. The payload performs the following actions:

  • Stopping services that could hinder progress or generate alerts
  • Enumeration of all attached storage for files that could be relevant
  • Exfiltration of specific files
  • Local encryption of the same files
  • Creation of ransom note
     

How Illumio Zero Trust Segmentation can help

After initial entry into the organization, malware and ransomware commonly use lateral movement to spread within an environment, exploiting access to suitable user credentials.

Hive leverages Remote Desktop Protocol (RDP) to move laterally. RDP is often left accessible to facilitate both remote access and remote administration — and is a popular initial ransomware attack vector as a result.

Given this, there are a few steps organizations can take to improve their defenses against Hive ransomware using Illumio Core:

  • Monitor: Deploy Illumio agents to all endpoints and monitor traffic flows. This will provide visibility into all flows to and from endpoints and can be used by the Security Operations Center (SOC) to identify RDP connections outside normal behavior patterns and outgoing connections to known bad actors (e.g., the Hive Command & Control infrastructure).
  • Limit exposure: The more open the access between workloads, the faster ransomware can spread. Knowing that ubiquitous RDP is not required, leverage Enforcement Boundaries to block RDP by default between endpoints. Exception rules can be written to ensure access from administrative hosts and remote access gateways is still permitted. This should limit how quickly the ransomware can spread.
  • Organizations can further enhance this control by leveraging Illumio Core’s Adaptive User Segmentation capability, which ensures that only users associated with an authorized Active Directory group can RDP from the dedicated jumphosts.
  • To limit effectiveness of the C2 call-back channel, implement a similar boundary concept to deny access to any public IP or FQDN associated with Hive and keep these updated on a regular basis.
  • Contain: When the SOC, identifies a workload that may be infected, a response playbook could be executed to implement a quarantine workload on the target, thereby ensuring the only access to it are from authorized investigative machines and forensic tools.

Protecting your organization against ransomware is difficult. But Illumio Core makes it easy to stop ransomware in its tracks, significantly mitigating the impact of a breach.

To learn more:

Related topics

Related articles

Stopping Ransomware: See Your Threats With Illumio
Ransomware Containment

Stopping Ransomware: See Your Threats With Illumio

S&P Global: Top 3 Ways to Address Critical Infrastructure's Ransomware Threat
Ransomware Containment

S&P Global: Top 3 Ways to Address Critical Infrastructure's Ransomware Threat

Trevor Dearing, Illumio solutions marketing director, and Eric Hanselman, Global Market Intelligence chief analyst of S&P Global address ransomware concerns.

Hive Ransomware: How to Limit Its Sting with Illumio Zero Trust Segmentation
Ransomware Containment

Hive Ransomware: How to Limit Its Sting with Illumio Zero Trust Segmentation

Learn more about Hive ransomware and how Illumio can help mitigate risk posed towards your organization.

9 Reasons to Use Illumio for Ransomware Containment
Ransomware Containment

9 Reasons to Use Illumio for Ransomware Containment

Discover how Illumio's real-time visibility and simple controls will rapidly reduce your biggest sources of ransomware risks, such as unused RDP ports.

Fight Ransomware Fast With Enforcement Boundaries
Illumio Products

Fight Ransomware Fast With Enforcement Boundaries

You have two main ways to fight ransomware. You can either be proactive, working to block future attacks. Or you can be reactive, responding to an active breach.

4 Core Principles to Protect Against Ransomware
Ransomware Containment

4 Core Principles to Protect Against Ransomware

Observing and implementing these 4 core principles will help you protect your organization when it comes to how to defend against ransomware. Read more.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?