Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
FBI Issues Alert on Hive Ransomware
Uptick in Hive Ransomware Activity SpottedThe FBI has issued a warning about Hive ransomware after the crime group took down IT systems at Memorial Health System last week (see: Memorial Health System in Ohio Latest to Be Hit With Attack).
See Also: Top 10 Actions During a Ransomware Attack
The alert details indicators of compromise and tactics, techniques and procedures - or TTPs - associated with ransomware attacks by the apparent ransomware-as-a-service operation.
Such groups involve operators building and maintaining crypto-locking malware, as well as associated services, such as a dedicated data leak site where they attempt to name and shame victims. Affiliates of these operations use the malware to infect victims, and if a victim pays, the affiliate and operator share the profit.
Technical Details
Hive "uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments, to gain access and remote desktop protocol (RDP) to move laterally once on the network," the alert states (see: 7 Emerging Ransomware Groups Practicing Double Extortion).
"After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim's system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, HiveLeaks," the alert notes.
Every encrypted file gets saved with a .hive extension appended, the FBI says. The Hive operators then drop a hive.bat script into the directory, which enforces an execution timeout delay of one second to perform cleanup after the encryption is finished by deleting the Hive executable and the hive.bat script, the alert notes.
"A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim, and then deletes the shadow.bat file. During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*," according to the alert.
Later, a ransom note, "HOW_TO_DECRYPT.txt," gets dropped into the affected directory and warns against attempting to modify, rename or delete the key file, saying that doing so will make encrypted files unrecoverable.
"The note contains a 'sales department' link, accessible through a Tor browser, enabling victims to contact the actors through live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files," the alert says.
The alert states that the initial deadline for payment fluctuates between two to six days, although it can vary.
The Rise of Hive
The emergence of Hive was first reported on June 26 by the self-described South Korea-based "ransomware hunter" behind the @fbgwls245 Twitter account, who spotted the malicious executable after it was uploaded to the VirusTotal malware-scanning service the prior day.
.hive #Ransomware
C3ACEB1E2EB3A6A3EC54E32EE620721E pic.twitter.com/HAJGyklnKu— dnwls0719 (@fbgwls245) June 26, 2021
Security firm McAfee says that based on its telemetry, the regions so far most hit by Hive affiliates are Belgium and Italy, followed by India, Spain and the United States.
One apparent victim of Hive is the Memorial Health System in Ohio, Bleeping Computer reported earlier this week, based on "evidence" it says it has seen (see: Ransomware: LockBit 2.0 Borrows Ryuk and Egregor's Tricks).
The operators behind Hive, which is written in the Go language, have been seen targeting both 32-bit and 64-bit versions of Windows.
"After compiling the samples, a packer - UPX - is used to obscure the code and make generic detection based on strings more difficult," McAfee says. "File sizes for Go language binaries can be very large; using UPX will make the file-size smaller."
Recommended Mitigations
Roger Grimes, a defensive security analyst at KnowBe4, says sharing information as the FBI is doing on Hive remains essential. "I'd give them kudos for all the great information they are sharing. Really, the only ding I would give them is in their recommended mitigations. None of them include end-user training to fight social engineering. Social engineering is the number one way that ransomware, and all hackers and malware, compromise environments," Grimes says.
KnowBe4's Rosa Smothers, who's a former CIA cyberthreat analyst and technical intelligence officer, says defending against ransomware requires not just technical defenses but security awareness training and fostering a robust security culture.
"It isn't necessarily the operating system - because there will always be vulnerabilities - but the lack of malware prevention, due to a lack of training for users on how to spot phishing links and not to open unvetted attachments," Smothers says.
The alert recommends backing up critical data offline, ensuring copies of critical data are in the cloud or on an external hard drive or storage device, and using two-factor authentication and strong passwords, including for remote access services, wherever possible.
Other recommendations include monitoring cyberthreat reporting regarding the publication of compromised VPN login credentials; keeping computers, devices, and applications patched and updated; and regularly updating antivirus or anti-malware software on all hosts.