The Federal Bureau of Investigation (FBI) has issued a vulnerability notice on the Hive ransomware assaults, which provides technical data and evidence of breach related to the gang’s activities.
The organization recently targeted Memorial Health System, which was compelled to shut down some of its activities.
Hive ransomware has been operational since June 2021, and it uses a Ransomware-as-a-Service model (RaaS) with a wide range of strategies, approaches, and processes (TTPs). According to government specialists, the organization utilizes a variety of methods to infiltrate victims’ networks, comprising of phishing emails with malicious links to obtain access and Remote Desktop Protocol (RDP) to move about when on the server.
The ransomware searches for and kills programs linked with backups, file copying, and anti-virus/anti-spyware in order to allow file encryption. The Hive ransomware appends the .hive suffix to encrypted files’ names. The ransomware then puts a hive.bat code into the directory, which sets a one-second operation timeout before cleaning up once the encryption procedure is finished. The Hive executable, as well as the hive.bat script, are both deleted by the virus. A second file, shadow.bat, is put into the directory and is utilized by ransomware operators to remove shadow copies while also deleting the shadow.bat file.
“During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*. The ransom note, “HOW_TO_DECRYPT.txt” is dropped into each affected directory and states the key. file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered.” the FBI’s alert reads. “The note contains a “sales department” link, accessible through a TOR browser, enabling victims to contact the actors through a live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files.”
The payment deadline is usually 2 to 6 days, however, threat actors have been known to extend it in rare situations owing to continuing negotiations with the target.
The flash notice contains indications of compromise (IoCs), such as the gang’s leak site’s onion address (http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion).
MEGA, Anonfiles, Send.Exploit, SendSpace, or Ufile are among the file-sharing platforms used by the organization.
The Federal Bureau of Investigation (FBI) issued a new flash notice a few days ago on a malicious attacker known as OnePercent Group, which has been attacking US companies in cybercrimes since before November 2020.