A recently released report details how an affiliate of the Hive Ransomware-as-a-Service (RaaS) group was able to encrypt an environment in less than 72 hours from initial compromise. Hive is an affiliate-based ransomware variant used by threat actors and has been known to target healthcare facilities, nonprofits, and energy providers worldwide.
The threat actors started by exploiting the ProxyShell vulnerability, a well-known vulnerability in Microsoft Exchange Server that allows an attacker to execute arbitrary code. Once ProxyShell was exploited and a webshell was uploaded to the Exchange server, additional stagers were downloaded and executed from a remote C2 server. These stagers included Cobalt Strike beacons that were executed in memory on the system. This led to a new administrator user being created and credentials dumped using Mimikatz. The credentials dumped from Mimikatz included an NTLM password hash for a Domain Administrator, which was re-used in a pass-the-hash attack to take control of the account. From there, backups were deleted, security products were disabled, and Windows event logs were cleared before the final ransomware payload was delivered and executed on numerous systems.
Through the use of well-known vulnerabilities and tools, the threat actors behind this attack were able to quickly and efficiently compromise the environment at the highest level, allowing for a more damaging and widespread ransomware attack.