Microsoft Exchange Server attacked by Hive's 'windows.exe” ransomware
While keeping software updated and only downloading files from trusted sources are standard cybersecurity practices, given the recent rise in malware attacks, it’s clear that more is needed in this regard educate. To that end, the Varonis forensics team has provided some guidance on how attackers using Hive ransomware are targeting Microsoft Exchange Server in their latest series of attacks. For those who don’t know, Hive follows a ransomware-as-a-service model.
While Microsoft patched Exchange Server for known vulnerabilities in 2021 and most organizations have updated, some have not. Hive now targets these vulnerable server instances via a ProxyShell vulnerability to gain SYSTEM privileges. The PowerShell script then starts Cobalt Strike and creates a new sysadmin account named "user".
After this, Mimikatz was used to steal the domain administrator's NTLM hash and gain control of the account. After a successful compromise, Hive performs some discovery where it deploys a network scanner to store IP addresses, scans files that contain "password" in their file names, and attempts to RDP into the backup server to access sensitive assets.
Finally, the custom malware payload is deployed and executed via a "windows.exe" file, which steals and encrypts files, deletes shadow copies, clears event logs, and disables security mechanisms. Ransomware instructions are then displayed asking the group to contact Hive's "sales department" hosted on a .onion address accessible through the Tor network. The following instructions have also been provided to infected organizations:
- Do not modify, rename, or delete *.key. document. Your data will not be able to be decrypted.
- Do not modify or rename encrypted files. You will lose them.
- Do not report to the police, FBI, etc. They don't care about your business. They don't allow you to pay at all. As a result you will lose everything.
- Don’t hire a recovery company. They cannot decrypt without the key. They don't care about your business either. They believe they are good negotiators, but they are not. They usually fail. So speak for yourself.
- Don't refuse (sic) the purchase. Leaked documents will be publicly disclosed.
The last point is certainly interesting because if Hive had not been paid, their information would have been published on the "HiveLeaks" Tor website. A countdown is displayed on the same website to force victims to pay.
The security team noted that in one instance, the attackers managed to encrypt the environment within 72 hours of the initial breach. Therefore, it recommends that organizations immediately patch Exchange servers, regularly rotate complex passwords, block SMBv1, restrict access where possible, and train employees in the area of cybersecurity.
The above is the detailed content of Microsoft Exchange Server attacked by Hive's 'windows.exe” ransomware. For more information, please follow other related articles on the PHP Chinese website!

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

Dreamweaver Mac version
Visual web development tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool

WebStorm Mac version
Useful JavaScript development tools