The FBI issued a flash alert for Hive ransomware operations

The Federal Bureau of Investigation (FBI) published a flash alert related to the operations of the Hive ransomware gang.

The Federal Bureau of Investigation (FBI) has released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang.

Recently the group hit the Memorial Health System that was forced to suspend some of its operations.

Hive ransomware has been active since June 2021, it implements a Ransomware-as-a-Service model and employs a wide variety of tactics, techniques, and procedures (TTPs). Government experts state that the group uses multiple mechanisms to compromise networks of the victims, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.

In order to facilitate file encryption, the ransomware look for processes associated with backups, anti-virus/anti-spyware, and file copying and terminates them. The Hive ransomware adds the .hive extension to the filename of encrypted files. The ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second before performing cleanup one the encryption process is completed. The malware deletes the Hive executable and the hive.bat script. A second file, shadow.bat, is dropped into the directory and it used by ransomware operators to delete shadow copies and deletes the shadow.bat file itself once the operation is completed.

“During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*. The ransom note, “HOW_TO_DECRYPT.txt” is dropped into each affected directory and states the key. file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered.” reads the FBI’s alert. “The note contains a “sales department” link, accessible through a TOR browser, enabling victims to contact the actors through a live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files.”

The deadline for payment is between 2 to 6 days, but in some cases threat actors prolonged it due to an ongoing negotiation with the victim.

The flash alert provides indicators of compromise (IoCs), including the onion address of the leak site (http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion) used by the gang.

The group also relies on multiple file-sharing services, including Anonfiles, MEGA, Send.Exploit, Ufile, or SendSpace.

A few days ago, the Federal Bureau of Investigation (FBI) has published another flash alert about a threat actor known as OnePercent Group that has been actively targeting US organizations in ransomware attacks since at least November 2020.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.