The FBI has released comprehensive details about the tactics and methods used in the attacks carried out by the Hive ransomware.
The FBI has also included a link to a leak site where the gang publishes data stolen from companies if they didn’t pay them, a rare detail in technical reports of this sort.
The varied nature of the attackers’ tactics, techniques, and procedures of the Hive ransomware gang makes it hard for organizations to defend themselves.
Among the various tactics used by the gang to gain access to a network is by sending phishing emails. They also use the Remote Desktop Protocol to access a network and to move laterally around the network.
As a rule, before encryption is initiated, the attacker steals files that are valuable to the victim and demands that they pay the ransom.
The FBI says that a threat actor usually searches for processes that can prevent them from relaying encrypted data and terminates them. These are typically processes for backups, file copying, and security solutions (like Windows Defender).
This stage is followed by dropping the hive.bat script which performs a cleanup routine and removes the Hive malware executable. In addition, Shadow.bat script performs a clean wipe of the backup files and shadow copy files stored on the compromised host.
The FBI has confirmed that some victims of the Hive ransomware were personally contacted and asked to pay the ransom in order to receive their files back.
“The initial deadline for payment fluctuates between 2 to 6 days, but actors have prolonged the deadline in response to contact by the victim company,” the agency notes in its Flash bulletin.
Some files used in Hive ransomware attacks include:
- Winlo.exe – used to drop 7zG.exe, a legitimate 7-Zip file archiver
- 7zG.exe – version 19.0.0 of the 7-Zip file archiver
- Winlo_dump_64_SCY.exe – used to encrypt files with the .KEY extension and to drop a ransom note
The FBI also noted that the attacker uses various file-sharing services, such as Anonfiles, Send.Exploit, and Ufile.
Since June, more than 30 organizations have been affected by the Hive ransomware. And these are only the victims who did not pay the ransom.
The FBI discourages victims to pay the attackers, so that not to encourage them to continue their activities. Anyway, victims may not get the stolen data back even after paying the ransom.
And the FBI encourages companies to always report incidents of ransomware to law enforcement agencies.