The Federal Bureau of Investigation (FBI) has launched some technical particulars and indicators of compromise related to Hive ransomware assaults.
In a uncommon prevalence, the FBI has included the hyperlink to the leak web site the place the ransomware gang publishes knowledge stolen from firms that didn’t pay.
A number of techniques and strategies
Hive ransomware depends on a various set of techniques, strategies, and procedures, which makes it troublesome for organizations to defend towards its assaults, the FBI says.
Among the many strategies that the gang makes use of to realize preliminary entry and to maneuver laterally on the community, there are phishing emails with malicious attachments and the Distant Desktop Protocol (RDP).
Earlier than deploying the encryption routine, the Hive ransomware steals information they deem beneficial, to stress the sufferer to pay the ransom below the specter of a knowledge leak.
The FBI says that the menace actor searches for processes for backups, file copying, and safety options (like Home windows Defender) that might hinder the information encryption activity and terminates them.
This stage is adopted by dropping a hive.bat script that performs a cleanup routine by eradicating itself after deleting the Hive malware executable.
One other script known as shadow.bat is tasked with deleting shadow copies, backup information, and system snapshots after which removes itself from the compromised host.
The FBI says that some Hive ransomware victims reported being contacted by the attacker asking them to pay the ransom in change for the stolen information.
Together with indicators of compromise (IoCs), the FBI additionally offers a hyperlink to the menace actor’s leak web site, a element that’s usually hidden in technical experiences.
A few of the information noticed in Hive ransomware assaults embrace the next:
- Winlo.exe – used to drop 7zG.exe, a respectable model of the 7-Zip file archiver
- 7zG.exe – model 19.0.0 of the 7-Zip file archiver
- Winlo_dump_64_SCY.exe – used to encrypt information with the .KEY extension and to drop the ransom word HOW_TO_DECRYPT.txt
The FBI notes that the menace actor additionally depends on file-sharing providers, a lot of them nameless, like Anonfiles, MEGA, Ship.Exploit, Ufile, or SendSpace.
Though it was first noticed in late June, Hive ransomware has already breached greater than 30 organizations this summer season, a depend that features solely victims that refused to pay the ransom.
A latest victim of Hive ransomware is Memorial Health System, which gives a community of providers that features three hospitals and suppliers representing 64 clinics.
From information seen by BleepingComputer, the attacker stole databases containing data belonging to greater than 200,000 sufferers.
The FBI doesn’t advocate paying the menace actors to discourage then from persevering with the exercise. Moreover, there isn’t a assure that the attacker will destroy the stolen knowledge as an alternative of promoting it or giving it to fellow criminals.
No matter ransomware sufferer’s resolution to pay or not, the FBI urges firms to report ransomware incidents to the native area workplace to assist investigators with essential data to trace the attackers, “maintain them accountable below US regulation, and stop future assaults.”