27 August 2021

FBI shares technical details on Hive ransomware


FBI shares technical details on Hive ransomware

The Federal Bureau of Investigation (FBI) has released a flash alert containing some technical details and Indicators of Compromise (IoCs) associated with the Hive ransomware.

First spotted in June 2021, the Hive ransomware relies on a variety of tactics, techniques, and procedures (TTPs) in order to breach enterprise networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.

Once getting access to the victim’s network, the group exfiltrate data and encrypt files on the network, leaving a ransom note in each affected directory within a victim’s system with instructions on how to purchase the decryptor to restore the files. The ransom note also contains a link to the gang’s Tor site, where victims can contact the ransomware operators.

“The initial deadline for payment fluctuates between 2 to 6 days, but actors have prolonged the deadline in response to contact by the victim company. The ransom note also informs victims that a public disclosure or leak site, accessible on a TOR browser, contains data exfiltrated from victim companies who do not pay the ransom demand,” the FBI said.

To facilitate file encryption the Hive ransomware terminates the processes related to backups, anti-virus/anti-spyware, and file copying. It adds a .hive extension to the encrypted files and then drops a hive.bat script into the directory. A second file, shadow.bat, is then dropped into the directory to delete shadow copies, including disc backup copies or snapshots.

“During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*. The ransom note, “HOW_TO_DECRYPT.txt” is dropped into each affected directory and states the *key.* file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered,” the alert reads.

The law enforcement agency has also provided mitigations to prevent or reduce the risk of Hive ransomware attacks.


Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021