Read time: 3 minutes
In the present situation, ransomware attacks have increased. Hive ransomware is a group used to threaten and hack multiple file servers and devices of businesses. In June 2021, the Hive group came to light. The damages caused by it are in different ways, such as disturbances to business operations, data loss, reputational harm, and legal penalties. Currently, Microsoft Exchange Servers have become a target of an affiliate of the Hive ransomware group. According to a recent survey by the forensics teams, hackers usually take less than 72 hours to achieve their malicious goals and encrypt the environment.
What is Hive Ransomware?
Hive ransomware is an affiliate-based ransomware that targets healthcare facilities, retail businesses, and organizations working with the Exchange Servers that are quite vulnerable to ProxyShell security issues. The ransomware group uses different tactics to enter into victim’s devices to exfiltrate confidential data and encrypt software and files while restricting the access of the owner.
To decrypt these files and software, the attackers ask for ransom and threaten the victims to compromise their data by publishing it on HiveLeaks (a site on the dark web).
How is the hive Ransomware group attacking Exchange Servers?
In Microsoft Exchange Client Access Server (CAS), ProxyShell vulnerabilities are usually exposed to the internet. And it makes it easier for the Hive group to identify or find Exchange Servers with ProxyShell vulnerabilities, exploit them, and compromise the organization’s network, servers, and devices. Here, ProxyShell is a set of three vulnerabilities, i.e., CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473 which they used to execute malicious code.
There are different kinds of strategies and procedures employed to compromise Microsoft
Exchange. They start by disabling anti-malware protections and then use them to encrypt business files. They also used to follow other mechanisms to compromise the networks, like phishing emails with malicious attachments, leaked VPN credentials, and even more.
Practices to protect Exchange Server from Hive Ransomware Attack
After research, forensic advisors found that attackers usually used attack servers by targeting ProxyShell vulnerabilities and disabling the security features. Users can follow the regular practices to protect Exchange Server from Hive ransomware groups-
Update the Server
As there is no specific or defined solution to protect from such threats, it’s crucial to keep the server updated with the latest updates. Users can also try installing regular security updates to strengthen the server’s security.
Upgrade to the new version
In case you’re using an older version, e.g., if a business is running Exchange Server 2010, we highly recommend upgrading to Exchange 2016 or 2019, whichever is convenient for you. Don’t forget updating knowledge about regular Security Updates and patch vulnerabilities.
Check Exchange Server Health
To check Exchange Server Health, users need to use Microsoft Exchange Server Health Checker Script (HealthChecker.ps1) to identify the issues that need to patch.
- Initiate by downloading HealthChecker.ps1. (Supported Version Exchange Server 2013, 2016, and 2019.)
- Now open Exchange Management Shell and use the ‘cd ‘command to find the location of the HealthChecker.ps1 script.
- Now run the command .\HealthChecker.ps1 to execute the HealthChecker.ps1 on the server.
- Now generate HTML report using command .\HealthChecker.ps1 -BuildHtmlServersReport
- Lastly, double-click the HTML file to open it in the web browser.
- And here, check the Security Vulnerabilities section to find out where we need to update by following Security Update available for the Exchange Server version.
Note: Both the HTML report and HealthChecker.ps1 script are located at the same location.
It’s important to keep your security game strong to prevent data breaches or cyberattacks. Make sure you have enabled multi-factor authentication, have strong and complex passwords, regularly update important passwords, keep a check on administrative permissions, and remove inactive user accounts.
Ensure additional data security with Exchange backup
We often fail to protect our data from such attacks or threats because we are not prepared. It is difficult to access the Exchange database after ransomware attacks. Therefore, to deal with such a situation, always try to keep an updated backup. To back up Exchange (on-premises, online, and hosted) mailboxes to PST, try using Kernel Exchange Backup & Restore tool. This tool is programmed to back up mailboxes from the Exchange database and restore healthy PST files to Exchange mailboxes. It comes with advanced filters, making it easier to back up the data selectively. Using this tool can be helpful in recovering EDB Public folders too.
Conclusion
Ransomware attacks hold the potential to disturb the foundation of your business, i.e. data, and you certainly don’t want that. To safeguard your organization against Hive Ransomware affiliates and other malicious attacks, you must be prepared with the above-discussed solutions. However, it is always recommended to back up your Exchange data with Kernel Exchange backup & restore tool. Doing this will help you restore your business’s pace and productivity even in the case of emergencies.