U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The FBI issued a flash alert for Hive ransomware operations

The Federal Bureau of Investigation (FBI) published a flash alert related to the operations of the Hive ransomware gang. The Federal Bureau of Investigation (FBI) has released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang. Recently the group hit the […]

hive ransomware fbi alert

The Federal Bureau of Investigation (FBI) published a flash alert related to the operations of the Hive ransomware gang.

The Federal Bureau of Investigation (FBI) has released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang.

hive ransomware fbi alert

Recently the group hit the Memorial Health System that was forced to suspend some of its operations.

Hive ransomware has been active since June 2021, it implements a Ransomware-as-a-Service model and employs a wide variety of tactics, techniques, and procedures (TTPs). Government experts state that the group uses multiple mechanisms to compromise networks of the victims, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.

In order to facilitate file encryption, the ransomware look for processes associated with backups, anti-virus/anti-spyware, and file copying and terminates them. The Hive ransomware adds the .hive extension to the filename of encrypted files. The ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second before performing cleanup one the encryption process is completed. The malware deletes the Hive executable and the hive.bat script. A second file, shadow.bat, is dropped into the directory and it used by ransomware operators to delete shadow copies and deletes the shadow.bat file itself once the operation is completed.

“During the encryption process, encrypted files are renamed with the double final extension of *.key.hive or *.key.*. The ransom note, “HOW_TO_DECRYPT.txt” is dropped into each affected directory and states the key. file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered.” reads the FBI’s alert. “The note contains a “sales department” link, accessible through a TOR browser, enabling victims to contact the actors through a live chat. Some victims reported receiving phone calls from Hive actors requesting payment for their files.”

The deadline for payment is between 2 to 6 days, but in some cases threat actors prolonged it due to an ongoing negotiation with the victim.

The flash alert provides indicators of compromise (IoCs), including the onion address of the leak site (http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion) used by the gang.

The group also relies on multiple file-sharing services, including Anonfiles, MEGA, Send.Exploit, Ufile, or SendSpace.

A few days ago, the Federal Bureau of Investigation (FBI) has published another flash alert about a threat actor known as OnePercent Group that has been actively targeting US organizations in ransomware attacks since at least November 2020.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]