Pierluigi Paganini
August 27, 2021
The Federal Bureau of Investigation (FBI) has released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang.
Recently the group hit the Memorial Health System that was forced to suspend some of its operations.
Hive ransomware has been active since June 2021, it implements a Ransomware-as-a-Service model and employs a wide variety of tactics, techniques, and procedures (TTPs). Government experts state that the group uses multiple mechanisms to compromise networks of the victims, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.
In order to facilitate file encryption, the ransomware look for processes associated with backups, anti-virus/anti-spyware, and file copying and terminates them. The Hive ransomware adds the .hive extension to the filename of encrypted files. The ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second before performing cleanup one the encryption process is completed. The malware deletes the Hive executable and the hive.bat script. A second file, shadow.bat, is dropped into the directory and it used by ransomware operators to delete shadow copies and deletes the shadow.bat file itself once the operation is completed.
“During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*. The ransom note, “HOW_TO_DECRYPT.txt” is dropped into each affected directory and states the key. file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered.” reads the FBI’s alert. “The note contains a “sales department” link, accessible through a TOR browser, enabling victims to contact the actors through a live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files.”
The deadline for payment is between 2 to 6 days, but in some cases threat actors prolonged it due to an ongoing negotiation with the victim.
The flash alert provides indicators of compromise (IoCs), including the onion address of the leak site (http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion) used by the gang.
The group also relies on multiple file-sharing services, including Anonfiles, MEGA, Send.Exploit, Ufile, or SendSpace.
A few days ago, the Federal Bureau of Investigation (FBI) has published another flash alert about a threat actor known as OnePercent Group that has been actively targeting US organizations in ransomware attacks since at least November 2020.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, FBI)
[adrotate banner=”5″]
[adrotate banner=”13″]
