During a recent engagement with a customer, the Varonis Forensics Team investigated a ransomware incident. Multiple devices and file servers were compromised and encrypted by a malicious threat group known as Hive.
First observed in June 2021, Hive is an affiliate-based ransomware variant used by cybercriminals to conduct ransomware attacks against healthcare facilities, nonprofits, retailers, energy providers, and other sectors worldwide. Hive is built for distribution in a Ransomware-as-a-service model that enables affiliates to utilize it as desired…
The Forensics team observed that the actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise.
First, the attacker exploited multiple Exchange security vulnerabilities, referred to as ProxyShell. Next, the attack placed a malicious backdoor script, referred to as webshell, in a publicly accessible directory on the Exchange server. These web scripts could then execute malicious PowerShell code over the compromised server with SYSTEM privileges..
[Moderator edit] changed title to add “unpatched”
