FBI Issues Alert on Hive Ransomware

The Federal Bureau of Investigation has issued a warning about Hive ransomware after the group took down IT systems at Memorial Health System last week (see Memorial Health System in Ohio Latest to Be Hit With Attack).

See Also: Top 50 Security Threats

The alert details indicators of compromise, tactics, techniques, and procedures (TTPs) associated with ransomware attacks by a supposed Ransomware-as-a-Service organization consisting of various actors using multiple mechanisms to compromise business networks, exfiltrate data and encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption software.

Technical Details

Hive, which operates as an affiliate-based ransomware operation “uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network,” the alert states.

“After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, HiveLeaks,” the alert notes.

Upon successful file encryption, the files are saved using a .hive extension. The Hive operators then drop a hive.bat script into the directory, which enforces an execution timeout delay of one second to perform clean-up after the encryption is finished by deleting the Hive executable and the hive.bat script, the alert notes.

“A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim and then deletes the shadow.bat file. During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*,” the alert notes.

Later, a ransom note, ““HOW_TO_DECRYPT.txt” is dropped into the affected directory and states the *key.* file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered.

“The note contains a “sales department” link, accessible through a TOR browser, enabling victims to contact the actors through live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files,” the agency notes.

The alert states that the initial deadline for payment fluctuates between 2 to 6 days, but it varies.

The Rise of Hive

The emergence of Hive was first reported on June 26 by the self-described South Korea-based “ransomware hunter” behind the @fbgwls245 Twitter account, who spotted the malicious executable after it was uploaded to the VirusTotal malware-scanning service the prior day.

.hive #Ransomware
C3ACEB1E2EB3A6A3EC54E32EE620721E pic.twitter.com/HAJGyklnKu

— dnwls0719 (@fbgwls245) June 26, 2021

Security firm McAfee says that based on its telemetry, the regions so far most hit by Hive affiliates are Belgium and Italy, followed by India, Spain and the United States.

One apparent victim of Hive is the Memorial Health System in Ohio, Bleeping Computer reported earlier this week, based on “evidence” it says it has seen. (Also see: Ransomware: LockBit 2.0 Borrows Ryuk and Egregor’s Tricks)

Written in the Go language, operators behind Hive have been seen targeting both 32-bit and 64-bit versions of Windows.

“After compiling the samples, a packer – UPX – is used to obscure the code and make generic detection based on strings more difficult,” McAfee says. “File sizes for Go language binaries can be very large; using UPX will make the file-size smaller.”

Recommended Mitigations

Roger Grimes, data driven defense evangelist at KnowBe4, says he is happy anytime an organization publishes more details on any malicious compromise event or gang.

“I’d give them kudos for all the great information they are sharing. Really, the only ding I would give them is in their recommended mitigations. None of them include end user training to fight social engineering. Social engineering is the number one way that ransomware, and all hackers and malware compromise environments,” Grimes states.

Rosa Smothers, former CIA cyber threat analyst and technical intelligence officer, concurs saying it is an unfortunate but typical case of poor security awareness training and security culture.

“It isn’t necessarily the operating system – because there will always be vulnerabilities – but the lack of malware prevention, due to a lack of training for users on how to spot phishing links and not to open unvetted attachments;” Smothers is also SVP at KnowBe4.

The alert recommends backing-up of critical data offline, ensuring copies of critical data are in the cloud or on an external hard drive or storage device, with use of two-factor authentication and strong passwords, including for remote access services.

Other recommendations include monitoring cyber threat reporting regarding the publication of compromised VPN login; credentials and change passwords/settings if applicable; keeping computers, devices, and applications patched and up-to-date and installing and regularly updating anti-virus or anti-malware software on all hosts.