The FBI has issued a warning to firms about an increasingly prolific new ransomware variant known as Hive.
The Flash alert posted this week noted that the affiliate-based ransomware uses multiple mechanisms to compromise corporate networks, making it harder for defenders to mitigate.
It noted that these include phishing emails with malicious attachments to gain initial access and the hijacking of Remote Desktop Protocol (RDP) to move laterally.
The malware itself looks for and terminates processes linked to backups, anti-virus and file copying to boost its chances of success. Encrypted files end with a .hive suffix.
“The Hive ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second in order to perform clean-up after the encryption is finished, by deleting the Hive executable and the hive.bat script,” the alert continued.
“A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim and then deletes the shadow.bat file.”
The ransom note, dropped into every impacted directory, warns that if encrypted files are modified, renamed or deleted, they can’t be recovered. In the spirit of modern ransomware operations, which are highly professionalized, there’s also a live chat link to a ‘sales department,’ accessible through a TOR browser, for further communication.
Some victims told the FBI they had received follow-up phone calls from their attackers urging payment. A second tactic is to exfiltrate and publish stolen files on a public leak site.
It’s believed the group, or affiliates associated with Hive, were responsible for the attack on Memorial Health System earlier this month, which disrupted IT systems at nearly all of its 64 clinics and three hospitals.
According to Palo Alto Networks, Hive had breached 28 organizations listed on its leak site as of this week, including a European airline company. It was first discovered in June.