HomeWinBuzzer NewsMicrosoft Exchange Servers Face New Threat From Hive Ransomware

Microsoft Exchange Servers Face New Threat From Hive Ransomware

The Hive ransomware-as-a-service is targeting vulnerable Microsoft Exchange Server customers who have not patched their systems.

-

It has been a rough 18 months for servers, including a dismal 2021 where attacks on the service became the biggest cyberthreat of the year. Then the LockFile ransomware became a problem. Now a new is targeting Exchange servers.

According to a report from the Varonis Forensics Team, the Hive ransomware is being used in new attacks against Exchange Server. It you are unfamiliar with Hive, it is a ransomware-as-a-service.

Microsoft has been patching Exchange Servers for over a year to protect against ransomware attacks. That means many organizations are protected, but others did not install the fix. Those remaining vulnerabilities are the target of Hive, which is using ProxyShell flaws to access SYSTEM privileges.

When access is given, Hive runs a PowerShell script that sends a Cobalt Strike. You may remember Cobalt Strike was used to attack SQL Servers earlier this year. The backdoor creates a system administrator called “user” on vulnerable Exchange Servers.

Attack

Next, the Minikatz tool is used to take the NTLM hash of a domain admin to get control of the account. The attack finalizes when a ransomware known as “windows.exe” is placed on the system to steal files, clear event logs, and shutdown security. A note highlights that the victim must contact Hive and follow these instructions:

  • “Do not modify, rename or delete *.key. files. Your data will be undecryptable.
  • Do not modify or rename encrypted files. You will lose them.
  • Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything.
  • Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself.
  • Do not reject to (sic) purchase. Exfiltrated files will be publicly disclosed.”

Tip of the day: Whether it's for a presentation, song, or YouTube video, at some point in your life you'll need to record audio from your computer. has multiple options to record sound due to its litany of apps. In our tutorial, we show you how to record audio using the built-in Windows 10 Voice Recorder and the freeware audio editor Audacity.

SourceVaronis
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News