Hive Ransomware Owners are Using Personalized Ransomware Kits
Hive Ransomware, affiliate-based ransomware that was first reported by the FBI in mid-2021, is now targeting Microsoft Exchange Server. Hive ransomware is targeting Microsoft exchange servers to attack. Federal Bureau of Investigation found Hive ransomware compromising business networks, exfiltrating and encrypting data on the networks in an attempt to collect a ransom. Recently, the Indian CERT team issued a virus alert stating that Hive Ransomware owners are using multiple mechanisms and personalized ransomware kits to exploit various operating systems.
The team running Hive Ransomware is highly organized, and capable of compromising and encrypting a corporate network within 72 hours as reported by the Varonis research team. Hive Ransomware is using various phishing methods to lure employees working in the organization to open malicious attachments in the email. Further, it uses vulnerable RDP servers and compromised VPN credentials to attack the network. This ransomware is using applications like Cobalt Strike for command and control framework, ConnectWise Control for self-hosted remote desktop, and AD Recon for Active Directory Enumeration. After the initial attack, Hive Ransomware terminates backups, antivirus, and antispyware programs and starts encrypting the files on the machine.
The encrypted files by Hive Ransomware usually end with the “.hive” extension. It drops a hive.bat script into the directory and executes the malicious and cleanup program within a time delay of 1 second. After encrypting files, the Hive Ransomware drops another script, shadow.bat to delete shadow copies, backups, or snapshots of the machine to restrict chances of recovery. Hive Ransomware uses double extensions like .key.hive or *.key.* to make sure that encrypted files are irreversible to decrypt without the decryption key. It drops a ransom note, on all the affected folders of the machine containing a link, ID, and Password to their sales department accessible only through the TOR browser. They proved a live chat feature to the victims to contact the Hive Ransomware team to seek the decryption key after they pay a specified amount of ransom
Warning Note for the Victim
The Hive Ransomware group also put a warning note for the victim specifying actions that will damage their data. They have mentioned that Don’t shut down or reboot the machine or unmount any external storage devices. They have warned the victims not to report the authorities otherwise, the negotiation process will be terminated and the decryption key will be erased immediately. In case the user refuses to purchase the decryption key for the Hive Ransomware, attackers are threatening the victim organization to publicly disclose their sensitive data. They have literally provided an URL for this purpose. Indian Computer Emergency Response team recommended a list of guidelines to protect your personal and organization data from Hive Ransomware attacks.
Kindly read another article :