The Federal Bureau of Investigation (FBI) is warning businesses about a new ransomware threat that is being using in an increasing number of attacks. Hive ransomware was first identified in June 2021 and is operated under the ransomware-as-a-service (RaaS) model, where affiliates are used to conduct attacks on behalf of the gang in exchange for a cut of the profits.
Numerous methods of attack have been observed, which makes it difficult for businesses to block attacks. The group has been using phishing emails with malicious attachments containing scripts that download the ransomware payload, and brute force attacks on Remote Desktop Protocol (RDP).
Once access to a network has been gained, the attackers move laterally within networks and search for valuable data to steal. The threat actor searches for processes related to file backups, file copying, and cybersecurity, and terminates those processes to ensure the encryption routine is not interrupted. Encrypted files are given the suffix .hive.
A hive.bat file is dropped onto the infected computer with runs when the encryption routine is completed and performs a cleanup, which deletes the Hive ransomware executable and the .bat file. A second .bat file is then dropped – shadow.bat – which searches for and deletes Windows shadow copies, as well as disc backup copies and snapshots, then deletes them to prevent recovery without paying the ransom. After deleting the backups, the shadow.bat file is then deleted.
As is now common with RaaS operations, the gang operates a dark web data leak site where stolen data are uploaded to pressure victims into making payment.
A ransom note is dropped into all affected directories. The ransom note warns victims that attempts to modify, rename, or delete encrypted files will mean they cannot be recovered. Victims are required to make contact with the attackers through a Live Chat feature through a TOR browser. Victims are typically given between 2 and 6 days to make payment, although the gang has been flexible with certain companies that have made contact. The FBI said some victims have been contacted by phone by the attackers instructing them to make payment, with data stolen prior to file encryption then leaked on the HiveLeaks TOR site if payment is not made.
The number of ransomware attacks conducted by the gang and its affiliates is increasing, with one notable attack believed to be the ransomware attack on Memorial Health System, which affected all 64 of its clinics in the United States, as well as its 3 hospitals. Palo Alto Networks reports that there have been at least 30 ransomware attacks performed by the group and its affiliates.
The FBI does not recommend paying the ransom as this only encourages further attacks and there is no guarantee that files can be recovered, nor that stolen data will in fact be deleted and not leaked or sold if the ransom is paid. The FBI has requested all victims report attacks to their local FBI field office to allow investigators to track the attackers and bring them to justice.
The FBI has published a list of Indicators of Compromise (IoCs) and details of the TOR leak site in its Flash Alert.