The U.S Federal Bureau of Investigation (FBI) has issued a warning to business entities about an increasingly prolific new ransomware variant known as Hive.
The Bureau’s alert to businesses indicated that Hive uses multiple mechanisms to compromise corporate networks, making it harder for defenders to mitigate.
It listed these as including phishing emails with malicious attachments to gain initial access and the hijacking of Remote Desktop Protocol (RDP) to move laterally.
In addition, the FBI stated that the affiliate-based ransomware searches for and terminates processes linked to backups, anti-virus and file copying to boost its chances of success, adding that encrypted files end with a .hive suffix.
The FBI alert further clarified: “The Hive ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second in order to perform clean-up after the encryption is finished, by deleting the Hive executable and the hive.bat script.
“A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim and then deletes the shadow.bat file.
“The ransom note, dropped into every impacted directory, warns that if encrypted files are modified, renamed or deleted, they can’t be recovered. In the spirit of modern ransomware operations, which are highly professionalized, there’s also a live chat link to a ‘sales department,’ accessible through a TOR browser, for further communication”, the FBI added.
According to a news report by infosecurity-magazine.com, some victims told FBI that they had received follow-up phone calls from their attackers urging payment and that a second tactic is to exfiltrate and publish stolen files on a public leak site.
The online medium further noted: “It’s believed the group, or affiliates associated with Hive, were responsible for the attack on Memorial Health System earlier this month, which disrupted IT systems at nearly all of its 64 clinics and three hospitals.
“According to Palo Alto Networks, Hive had breached 28 organizations listed on its leak site as of this week, including a European airline company. It was first discovered in June”, it added.