Flash Alert Issued By FBI Concerning Hive Ransomeware Operations

Flash Alert Issued By FBI Concerning Hive Ransomeware Operations

The Federal Bureau of Investigation (FBI) has issued a vulnerability notice on the Hive ransomware assaults, which provides technical data and evidence of breach related to the gang’s activities.

The organization recently targeted Memorial Health System, which was compelled to shut down some of its activities.

Hive ransomware has been operational since June 2021, and it uses a Ransomware-as-a-Service model (RaaS) with a wide range of strategies, approaches, and processes (TTPs). According to government specialists, the organization utilizes a variety of methods to infiltrate victims’ networks, comprising of phishing emails with malicious links to obtain access and Remote Desktop Protocol (RDP) to move about when on the server.

The ransomware searches for and kills programs linked with backups, file copying, and anti-virus/anti-spyware in order to allow file encryption. The Hive ransomware appends the .hive suffix to encrypted files’ names. The ransomware then puts a hive.bat code into the directory, which sets a one-second operation timeout before cleaning up once the encryption procedure is finished. The Hive executable, as well as the hive.bat script, are both deleted by the virus. A second file, shadow.bat, is put into the directory and is utilized by ransomware operators to remove shadow copies while also deleting the shadow.bat file.

During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*. The ransom note, “HOW_TO_DECRYPT.txt” is dropped into each affected directory and states the key. file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered.” the FBI’s alert reads. “The note contains a “sales department” link, accessible through a TOR browser, enabling victims to contact the actors through a live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files.”

The payment deadline is usually 2 to 6 days, however, threat actors have been known to extend it in rare situations owing to continuing negotiations with the target.

The flash notice contains indications of compromise (IoCs), such as the gang’s leak site’s onion address (http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion).

MEGA, Anonfiles, Send.Exploit, SendSpace, or Ufile are among the file-sharing platforms used by the organization.

The Federal Bureau of Investigation (FBI) issued a new flash notice a few days ago on a malicious attacker known as OnePercent Group, which has been attacking US companies in cybercrimes since before November 2020.


IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!