{"id":6922,"date":"2021-08-30T16:23:24","date_gmt":"2021-08-30T23:23:24","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6922"},"modified":"2024-08-07T12:20:03","modified_gmt":"2024-08-07T19:20:03","slug":"hive-ransomware","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/hive-ransomware\/","title":{"rendered":"Hive Ransomware"},"content":{"rendered":"

Author: Christopher Kim<\/strong><\/h3>\n

 <\/p>\n

1. Executive Summary<\/h3>\n

On 25 August, the Federal Bureau of Investigation (FBI) released a flash alert that describes the Hive ransomware and related indicators of compromise (IOCs).1<\/sup> According to the flash alert, Hive was discovered in June 2021 and likely operates as an affiliate-based ransomware.2<\/sup> It uses common ransomware tactics, techniques, and procedures (TTPs) to compromise victims\u2019 machines, bypass anti-malware, and then steal sensitive data and encrypt system files. In addition, Hive leaves an unencrypted, plain-text note that threatens to leak the victim\u2019s data on the TOR website HiveLeaks unless the victim pays a ransom. This behavior is consistent with the recent trend wherein many ransomware campaigns attempt to extort victims and most exfiltrate data.3, 4<\/sup><\/p>\n

2. Analysis<\/h3>\n

To gain a foothold in a victim\u2019s network, Hive uses spear-phishing emails with attachments. Upon obtaining the user\u2019s network credentials, Hive attempts to infect the network laterally, by using the Remote Desktop Protocol (RDP).<\/p>\n

To avoid anti-malware defenses, Hive terminates computer backup and restore, antivirus and antispyware, and file copying. After encrypting files and saving them with a .hive extension, Hive creates batch files hive.bat and shadow.bat, which contain commands for the computer to delete the Hive executable, disc backup copies or snapshots, and the batch files. This is a common technique used by malware to reduce available forensic evidence.<\/p>\n

Finally, Hive drops a ransom note, HOW_TO_DECRYPT.txt, into each affected directory. The note explains that encrypted files are not decryptable without the master key, which is in the actors\u2019 possession. In addition, the note contains the login details for the TOR website that the victim can use to pay the ransom, and it threatens to leak the victim\u2019s sensitive data on the HiveLeaks TOR website.<\/p>\n

In some attacks, in addition to offering live chat on their TOR website, the actors have called the victims directly and demanded a payment in return for the master key. Payment deadlines range from 2 to 6 days, but in some incidents, the actors prolonged the deadline after establishing communication with the victim company.<\/p>\n

3. Prevention and Mitigation<\/h3>\n

The FBI discourage victims from paying ransom; submitting to the demands of threat actors not only enriches them but also incentivizes them to continue their malicious campaigns. In addition, paying ransom does not guarantee that victims would recover their files and would not come under another attack from the same actors. Victims should carefully evaluate all options to protect their shareholders, employees, and customers. The FBI recommend the following actions for mitigation and prevention of ransomware attacks:<\/p>\n