Home / Industry

The Fight Against Hive Ransomware May Not Be Done as Yet-Unidentified Artifacts Show

The Hive Ransomware Group has had more than 1,500 victims across more than 80 countries worldwide. They attacked hospitals, school districts, financial firms, and critical infrastructure until the U.S. Department of Justice (DOJ) disrupted their operations. Have we seen the fall of the group’s entire infrastructure?

Our indicator of compromise (IoC) expansion analysis found more digital breadcrumbs, including:

  • Six IP address resolutions of the domains identified as IoCs
  • 936 domains that shared the IoCs’ IP hosts, six of which turned out to be malicious
  • 28 domains that contained the string privatlab akin to two of the IoCs, one of which was deemed malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Following the Digital Trail Hive Left Behind

Our expansion analysis began by obtaining a list of Hive ransomware IoCs from AlienVault, which included six domains and 19 IP addresses, namely:

  • swhw71un[.]pw
  • r77vh0[.]pw
  • d6shiiwz[.]pw
  • s7610rir[.]pw
  • privatlab[.]net
  • privatlab[.]com
  • 158[.]69[.]36[.]149
  • 93[.]115[.]26[.]251
  • 93[.]115[.]25[.]139
  • 89[.]147[.]109[.]208
  • 84[.]32[.]188[.]57
  • 84[.]32[.]188[.]238
  • 5[.]61[.]37[.]207
  • 5[.]199[.]162[.]229
  • 46[.]166[.]169[.]34
  • 46[.]166[.]162[.]96
  • 46[.]166[.]161[.]123
  • 192[.]53[.]123[.]202
  • 186[.]111[.]136[.]37
  • 185[.]8[.]105[.]67
  • 185[.]8[.]105[.]112
  • 185[.]8[.]105[.]103
  • 185[.]247[.]71[.]106
  • 181[.]231[.]81[.]239
  • 108[.]62[.]118[.]190

A bulk WHOIS lookup for the six domains showed they were managed by four registrars—REG.RU, LLC; Web4Africa Ltd.; PDR Ltd.; and GoDaddy.com, LLC. Three of them—s7610rir[.]pw, d6shiiwz[.]pw, and r77vh0[.]pw—also had unredacted registrant email addresses.

A bulk IP geolocation lookup for the IP addresses, meanwhile, revealed they were administered by nine Internet service providers (ISPs)—OVH Hosting; UAB Cherry Servers; 1984 ehf; LeaseWeb DE; Akamai Technologies, Inc.; Telecom Argentina S.A.; M247 Europe SRL; Telecom Argentina S.A.; and Leaseweb USA, Inc. spread across eight countries—Canada, Lithuania, Iceland, the Netherlands, Germany, Argentina, Sweden, and the U.S.

Using the domains identified as IoCs as DNS lookup terms led to the discovery of six IP addresses that aren’t part of the Hive ransomware IoC list. Three of these are 172[.]217[.]20[.]206, 194[.]58[.]112[.]174, and 216[.]58[.]212[.]174. IP geolocation lookups for them showed that half were private hosts (hosting 5—15 domains each) while the remaining were shared (hosting at least 300 domains each).

After that, we used the IP addresses in the original IoC list and the additional ones we uncovered as reverse IP lookup terms. That gave us 936 additional domains, six of which were malicious. Two of them—11toon17[.]com and 85porn[.]cc—currently host or redirect to live content.

Our initial look at the domains tagged as IoCs also revealed a unique-looking string—privatlab. Scouring the DNS for other domains containing this string led to the discovery of 31 additional domains, one of which was malicious—laskyduniganprivatlab[.]com. And while the remaining domains containing the string privatlab weren’t deemed malicious, the Hive ransomware group could easily commandeer and weaponize them for future attacks.

It’s also interesting to note that some of the string-connected domains shared other similarities with those tagged as IoCs, such as their registrar (PDR Ltd. and REG.RU, LLC), creation year (2015), and registrant country (Iceland and the U.S.).

Screenshot lookups for the privatlab-containing domains showed that 21 are unreachable, three are currently up for sale, and four are live. Among those that are accessible, one looks like a legitimate business website—privatlab[.]cc.

The purpose of the content hosted on the remaining three domains, however, was less clear. All three had the same content, one line that reads “A galaxy is made of stars.”

The Verdict

While the U.S. DOJ managed to decommission the Hive Ransomware Group’s malicious infrastructure, it seems they’ve left some digital breadcrumbs that pointed to 970 yet-undisclosed web properties that could possibly be connected to the Hive ransomware via an IP host or unique string. Our IoC expansion analysis also led to the discovery of seven malware-hosting domains.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign