Hive ransomware criminals have hit more than 1,300 companies globally, extorting about $100 million from its victims over the last 18 months, according to the FBI.
While Hive has only been around since June 2021, the ransomware-as-a-service operator has been extremely prolific in its relatively short existence, and taken an intense liking to critical infrastructure and hospitals, where locked IT systems can literally be a matter of life and death.
In April, the US Health and Human Services (HHS) agency warned healthcare orgs about Hive, which HHS described as an “exceptionally aggressive” threat to the health sector.
The gang also targets government facilities, communications, critical manufacturing and IT.
In a joint advisory [PDF] with CISA and HHS, the FBI this week detailed Hive indicators of compromise and commonly used techniques and procedures that the Feds have observed as recently as this month.
While the initial intrusion will depend on which Hive affiliate is carrying out the attack, the criminals have broken into networks using stolen single-factor RDP logins, virtual private networks and other remote network connection protocols, according to the agencies.
However, the miscreants have also bypassed multi-factor authentication and broken into FortiOS servers by exploiting CVE-2020-12812, a critical authentication bypass bug that Fortinet fixed more than two years ago.
And sometimes, we’re told, they use tried-and-true phishing emails with malicious attachments, and then exploit any number of Microsoft Exchange server vulnerabilities.
Once they’ve broken in, the crooks have several methods they use to evade detection. This includes identifying processes related to backups and anti-virus tools, copying those files and then terminating the processes. They have also been known to delete Windows event logs and disable Windows Defender.
Hive affiliates “likely” exfiltrate data with a combo of Rclone, an open-source program used to move data to cloud storage, and cloud storage service Mega.nz, according to the FBI. And they don’t exclusively target Windows’ systems: Hive developers have also come up with ransomware variants for Linux, VMware ESXi and FreeBSD.
After they’ve gained initial access, bypassed security features and stolen sensitive information, the criminals move on to encryption. For this, they create a file named *.key (note from the Feds: it was previously *.key.*). The key file, which is required for decryption, is created in the root directly and only on the machine where it was created.
They then drop a ransom note, “HOW_TO_DECRYPT.txt,” into each compromised directory with a link to a “sales department” accessible via a TOR browser to chat with a helpful crook to discuss payment and a deadline to pay up.
The gang also threatens to post the stolen data on its HiveLeaks site if the organization doesn’t pay the ransom. “Hive actors have been known to reinfect — with either Hive ransomware or another ransomware variant — the networks of victim organizations who have restored their network without making a ransom payment,” the FBI warned.
It’s also worth noting that paying a ransom isn’t a guarantee that an organization won’t be hit a second or even a third time by Hive or another ransomware operator.
Case in point: In May, an unnamed company was hit by Lockbit ransomware attack, according to Sophos threat researchers. Less than two hours later, a Hive ransomware affiliate attacked the same company and two weeks later, the organization was attacked a third time by a BlackCat ransomware group.
In other words: there’s really no honor among thieves. ®