Recent Comments



    FBI Issues Alert on Hive Ransomware

    August 31st, 2021 by

    FBI Issues Alert on Hive Ransomware

    “Hive “uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments, to gain access and remote desktop protocol (RDP) to move laterally once on the network,” the alert states (see: 7 Emerging Ransomware Groups Practicing Double Extortion).

    “After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, HiveLeaks,” the alert notes.

    Every encrypted file gets saved with a .hive extension appended, the FBI says. The Hive operators then drop a hive.bat script into the directory, which enforces an execution timeout delay of one second to perform cleanup after the encryption is finished by deleting the Hive executable and the hive.bat script, the alert notes.

    “A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim, and then deletes the shadow.bat file. During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*,” according to the alert.

    Later, a ransom note, “HOW_TO_DECRYPT.txt,” gets dropped into the affected directory and warns against attempting to modify, rename or delete the key file, saying that doing so will make encrypted files unrecoverable.

    “The note contains a ‘sales department’ link, accessible through a Tor browser, enabling victims to contact the actors through live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files,” the alert says.

    The alert states that the initial deadline for payment fluctuates between two to six days, although it can vary.”

    Posted in Uncategorized | No Comments »

    Leave a Reply