FBI Warns Businesses of New Hive Ransomware

Security

The FBI has issued a warning to firms about an increasingly prolific new ransomware variant known as Hive.

The Flash alert posted this week noted that the affiliate-based ransomware uses multiple mechanisms to compromise corporate networks, making it harder for defenders to mitigate.

It noted that these include phishing emails with malicious attachments to gain initial access and the hijacking of Remote Desktop Protocol (RDP) to move laterally.

The malware itself looks for and terminates processes linked to backups, anti-virus and file copying to boost its chances of success. Encrypted files end with a .hive suffix.

“The Hive ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second in order to perform clean-up after the encryption is finished, by deleting the Hive executable and the hive.bat script,” the alert continued.

“A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim and then deletes the shadow.bat file.”

The ransom note, dropped into every impacted directory, warns that if encrypted files are modified, renamed or deleted, they can’t be recovered. In the spirit of modern ransomware operations, which are highly professionalized, there’s also a live chat link to a ‘sales department,’ accessible through a TOR browser, for further communication.

Some victims told the FBI they had received follow-up phone calls from their attackers urging payment. A second tactic is to exfiltrate and publish stolen files on a public leak site.

It’s believed the group, or affiliates associated with Hive, were responsible for the attack on Memorial Health System earlier this month, which disrupted IT systems at nearly all of its 64 clinics and three hospitals.

According to Palo Alto Networks, Hive had breached 28 organizations listed on its leak site as of this week, including a European airline company. It was first discovered in June.

Products You May Like

Articles You May Like

Ghost Tap: Hackers Exploiting NFCGate to Steal Funds via Mobile Payments
The Problem of Permissions and Non-Human Identities – Why Remediating Credentials Takes Longer Than You Think
Bitfinex Hacker Jailed for Five Years Over Billion Dollar Crypto Heist
PAN-OS Firewall Vulnerability Under Active Exploitation – IoCs Released
Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials

Leave a Reply

Your email address will not be published. Required fields are marked *