The ransomware group Hive has already hacked over 30 organizations and companies.
The US Federal Bureau of Investigation (FBI) has released technical details and indicators of compromise related to the attacks by the ransomware group Hive. The agency also provided a link to a data breach site where the group publishes information stolen from companies.
According to the FBI, Hive’s operators use a diverse set of tactics, techniques and procedures that make it difficult to protect organizations from its attacks. Criminals gain initial access to victim networks through phishing emails with malicious attachments and Remote Desktop Protocol (RDP).
Before starting the encryption procedure, Hive ransomware steals files that hackers believe are valuable in order to subsequently force the victim to pay a ransom under the threat of data leakage. According to experts, cyber criminals search computer devices for backup processes, file copying and security solutions (for example, Windows Defender) that can interfere with the data encryption task and terminate them.
This step is followed by the launch of the hive.bat script, which performs a cleanup procedure, eliminating itself after the Hive malware executable has been removed.
Another script called shadow.bat performs the task of removing shadow copies, backup files, and system state snapshots, and then deletes itself from the compromised device.
Some victims of Hive ransomware attacks reported that attackers contacted them and demanded to pay a ransom in exchange for the stolen files. The initial payment deadline ranges from 2 to 6 days, but in some cases, the grouping may extend it.
Some of the files seen in Hive ransomware attacks include the following: Winlo.exe (used to remove the legitimate version of the 7zG.exe file archiver), 7zG.exe (version 19.0.0 of the 7-Zip file archiver), and Winlo_dump_64_SCY.exe ( used to encrypt files with the.KEY extension appended and to download the ransom note (HOW_TO_DECRYPT.txt)
As the FBI noted, attackers also rely on file-sharing services such as Anonfiles, MEGA, Send.Exploit, Ufile, or SendSpace.
The Hive group has already attacked several healthcare providers and organizations, including a European airline and three companies in the United States. Other victims of this ransomware are located in Australia, China, India, the Netherlands, Norway, Peru, Portugal, Switzerland, Thailand and the UK.
Catch up on more articles here
Follow us on Twitter here