Threat Signal Report
Ransomware Roundup - 2022/06/02
FortiGuard Labs is aware of a number of new ransomware strains for the week of May 30th, 2022. It is imperative to raise awareness about new ransomware strains as infections can cause severe damage to organizations. This week's Ransomware Roundup Threat Signal covers Hive ransomware, Bright Black Ransomware and Karakurt Data Extortion Group, and Fortinet protections against them.
What is Hive Ransomware?
Hive ransomware is a Ransomware-as-a-Service (RaaS) that was first observed in June 2021. This ransomware is highlighted in this Threat Signal as Costa Rica's public health system was reportedly compromised by the ransomware.
As a RaaS, the Hive ransomware group consists of two types of groups: ransomware operator (developer) and affiliates. The former develops Hive ransomware, provides support for its affiliates, operates ransom payment site as well as a date leak site called "HiveLeaks" on Tor. The latter carries out actual attacks that infect victims, exfiltrate data from victims, and deploy Hive ransomware onto the compromised machine. An apparent underground forum post that recruited Hive ransomware conspirators promised 80% cut for the affiliates.
Hive ransomware is the main arsenal that is deployed to the compromised machine to encrypt files. Before the file encryption takes place, data is stolen from the victim and shadow copies are deleted, which makes file recovery awfully difficult. Typical files encrypted by Hive ransomware have a .hive extension. Other reported file extensions include .aumcc, .sncip, .accuj and .qxycv. According to a report published by Group-IB, "the data encryption is often carried out during non-working hours or at the weekend" in an attempt to encrypt as many files as possible without being noticed.
Typical ransom note left behind by Hive ransomware below:
Your network has been breached and all data is encrypted.
To decrypt all the data you will need to purchase our decryption software.
Please contact our sales department at:
Follow the guidelines below to avoid losing your data:
- Do not shutdown or reboot your computers, unmount external storages.
- Do not try to decrypt data using third party software. It may cause irreversible damage.
- Don't fool yourself. Encryption has perfect secrecy and it's impossible to decrypt without knowing the key.
- Do not modify, rename or delete *.key.hive files. Your data will be undecryptable.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to authorities. The negotiation process will be terminated immediately and the key will be erased.
- Do not reject to purchase. Your sensitive data will be publicly disclosed at xxxx://[removed]onion/
The group employs a double extortion technique which victims are asked to make a ransom payment in order to recover encrypted files as well as to prevent the stolen data from being published to "HiveLeaks". Some victims reportedly received phone calls from Hive threat actors. The victim will receive a decryption tool upon the completion of payment, however, there was a chatter that suggests the decryption tool did not work as advertised in some cases and made virtual machines unbootable due to the tool corrupting the MBR (Master Boot Record).
Initial attack vectors include phishing emails with malicious attachment, attacking vulnerable RDP servers, and the use of compromised VPN credentials. Purchasing network access from initial access brokers is a possibility as well.
Hive ransomware reportedly victimized companies across wide range of industries such as (but not restricted to) real estate, IT and manufacturing. Some RaaS have a policy to exclude governmental educational and military organizations, health care, and critical infrastructures such as gas pipelines and power plants. Hive ransomware does not appear to have such policy as its victims include health care and government organizations.
In August, 2021, the Federal Bureau of Investigation (FBI) released a flash alert on Hive ransomware.
See the Appendix for a link to "Indicators of Compromise Associated with Hive Ransomware" for the advisory.
What is the Status of Coverage?
FortiGuard Labs provides the following AV coverage against Hive ransomware:
FortiEDR provides protection from new ransomware variants such as Hive straight out of the box.
What is Bright Black Ransomware?
Black Bright ransomware is a new ransomware that displays a ransom note in ransnote.html. The ransom note claims files on the compromised machine were encrypted using AES-256 encryption and asks the victim to contact the malware author via Discord in order to recover the affected files. However, analysis performed by FortiGuard Labs revealed that Bright Black ransomware does NOT encrypt any files. In an attempt to fool the victim to pay the ransomware, it prepends "x" to the file extension of the targeted files.
For example, the ransomware changes the .png file extension to .xpng. It also drops a decryptor tool. When the tool is ran, the decryptor asks for the code and reiterates the victim needs to DM the author to get the code. That is another attempt to make the victim believe that the files were encrypted.
Bright Black ransomware's ransom note
Dropped Bright Black decryptor
What is the Status of Coverage against Bright Black ransomware?
FortiGuard Labs provides the following AV coverage:
What is the Karakurt Data Extortion Group?
The Karakurt data extortion group is a threat actor who threatens the victim to pay ransom in Bitcoin for not releasing the data it stole from a compromised machine to the public. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) released a joint advisory on the Karakurt threat actor on June 1st, 2022.
Please see the Appendix for a link to "Alert (AA22-152A): Karakurt Data Extortion Group" for the advisory.
According to the advisory, there is no report that the threat actor encrypted any files as part of the attack. Known ransom demands range from $25,000 to $13,000,000, and typically the threat actor demands the ransom be paid within a week of first contact with the victim. The criminal group employs an aggressive tactic to get the victim to pay the ransom; the group reportedly contacted not only victim's employees but also business partners, and clients via emails and phone calls. The advisory also indicates that, upon ransom was paid, the threat actor provided a brief statement on how the victim was compromised.
What is the Status of Coverage?
FortiGuard Labs provides the following AV coverage on the available samples on the IOC list:
Anything Else to Note?
Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory.
Inside the Hive (GROUP-IB)
Traffic Light Protocol
|Color||When Should it Be used?||How may it be shared?|
TLP: REDNot for disclosure, restricted to participants only.
|Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.||Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.|
TLP: AMBERLimited disclosure, restricted to participants’ organizations.
|Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.||Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.|
TLP: GREENLimited disclosure, restricted to the community.
|Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.||Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.|
TLP: WHITEDisclosure is not limited.
|Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.||Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.|