- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
The FBI issued a flash alert for Hive ransomware operations
The Federal Bureau of Investigation (FBI) published a flash alert related to the operations of the Hive ransomware gang.
The Federal Bureau of Investigation (FBI) has released a flaw alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang.
Recently the group hit the Memorial Health System that was forced to suspend some of its operations.
Hive ransomware has been active since June 2021, it implements a Ransomware-as-a-Service model and employs a wide variety of tactics, techniques, and procedures (TTPs). Government experts state that the group uses multiple mechanisms to compromise networks of the victims, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.
In order to facilitate file encryption, the ransomware look for processes associated with backups, anti-virus/anti-spyware, and file copying and terminates them. The Hive ransomware adds the .hive extension to the filename of encrypted files. The ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second before performing cleanup one the encryption process is completed. The malware deletes the Hive executable and the hive.bat script. A second file, shadow.bat, is dropped into the directory and it used by ransomware operators to delete shadow copies and deletes the shadow.bat file itself once the operation is completed.
“During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*. The ransom note, “HOW_TO_DECRYPT.txt” is dropped into each affected directory and states the key. file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered.” reads the FBI’s alert. “The note contains a “sales department” link, accessible through a TOR browser, enabling victims to contact the actors through a live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files.”
The deadline for payment is between 2 to 6 days, but in some cases threat actors prolonged it due to an ongoing negotiation with the victim.
The flash alert provides indicators of compromise (IoCs), including the onion address of the leak site (http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion) used by the gang.
The group also relies on multiple file-sharing services, including Anonfiles, MEGA, Send.Exploit, Ufile, or SendSpace.
A few days ago, the Federal Bureau of Investigation (FBI) has published another flash alert about a threat actor known as OnePercent Group that has been actively targeting US organizations in ransomware attacks since at least November 2020.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine