AnonomousHive, a ransomware group, has already hacked over 30 organizations and businesses.
The US Federal Bureau of Investigation (FBI) has released technical details and indicators of compromise in connection with the Hive ransomware attacks. The agency also provided a link to a data breach site where the group publishes data stolen from businesses.
According to the FBI, Hive's operators employ a wide range of tactics, techniques, and procedures that make it difficult to defend against its attacks. Criminals gain initial access to victim networks via phishing emails containing malicious attachments and Remote Desktop Protocol (RDP).
Hive ransomware steals files that hackers believe are valuable before encrypting them in order to force the victim to pay a ransom under the threat of data leakage. Experts believe that cybercriminals search computer devices for backup processes, file copying, and security solutions (such as Windows Defender) that can interfere with and terminate data encryption tasks.
This is followed by the execution of the hive.bat script, which performs a cleanup procedure after the Hive malware executable has been removed.
Shadow is the name of another script. The bat deletes itself from the compromised device after removing shadow copies, backup files, and system state snapshots.
Some Hive ransomware victims reported that attackers contacted them and demanded a ransom payment in exchange for the stolen files. The initial payment term ranges from 2 to 6 days, but the group may extend it in some cases.
Winlo.exe (used to remove the legitimate version of the 7zG.exe file archiver), 7zG.exe (version 19.0.0 of the 7-Zip file archiver), and Winlo dump 64 SCY.exe (used to encrypt files with the.KEY extension appended and to download the ransom note (HOW TO DECRYPT.txt) are among the files seen in Hive ransomware attacks.
According to the FBI, attackers also use file-sharing services like Anonfiles, MEGA, Send.Exploit, Ufile, or SendSpace.
The Hive group has already targeted several healthcare providers and organizations, including a European airline and three US firms. Other countries affected by this ransomware include Australia, China, India, the Netherlands, Norway, Peru, Portugal, Switzerland, Thailand, and the United Kingdom.
0 Comments