The Federal Bureau of Investigation (FBI) has released a flash alert containing some technical details and Indicators of Compromise (IoCs) associated with the Hive ransomware.
First spotted in June 2021, the Hive ransomware relies on a variety of tactics, techniques, and procedures (TTPs) in order to breach enterprise networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.
Once getting access to the victim’s network, the group exfiltrate data and encrypt files on the network, leaving a ransom note in each affected directory within a victim’s system with instructions on how to purchase the decryptor to restore the files. The ransom note also contains a link to the gang’s Tor site, where victims can contact the ransomware operators.
“The initial deadline for payment fluctuates between 2 to 6 days, but actors have prolonged the deadline in response to contact by the victim company. The ransom note also informs victims that a public disclosure or leak site, accessible on a TOR browser, contains data exfiltrated from victim companies who do not pay the ransom demand,” the FBI said.
To facilitate file encryption the Hive ransomware terminates the processes related to backups, anti-virus/anti-spyware, and file copying. It adds a .hive extension to the encrypted files and then drops a hive.bat script into the directory. A second file, shadow.bat, is then dropped into the directory to delete shadow copies, including disc backup copies or snapshots.
“During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*. The ransom note, “HOW_TO_DECRYPT.txt” is dropped into each affected directory and states the *key.* file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered,” the alert reads.
The law enforcement agency has also provided mitigations to prevent or reduce the risk of Hive ransomware attacks.