"FBI Warns Businesses of New Hive Ransomware"

The FBI has issued a warning to firms about an increasingly prolific new ransomware variant known as Hive.  The FBI noted that the affiliate-based ransomware uses multiple mechanisms to compromise corporate networks, making it harder for defenders to mitigate.  The multiple mechanisms used to compromise corporate networks include phishing emails with malicious attachments to gain initial access and the hijacking of Remote Desktop Protocol (RDP) to move laterally.  The malware itself looks for and terminates processes linked to backups, anti-virus, and file copying to boost its chances of success. Encrypted files end with a .hive suffix.  The FBI stated that the Hive ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second in order to perform clean-up after the encryption is finished by deleting the Hive executable and the hive.bat script.  A second file, shadow.bat, is dropped into the directory to delete shadow copies, including disc backup copies or snapshots, without notifying the victim and then deletes the shadow.bat file.  The ransom note, dropped into every impacted directory, warns that if encrypted files are modified, renamed, or deleted, they can’t be recovered.   Some victims told the FBI they had received follow-up phone calls from their attackers urging payment. A second tactic is to exfiltrate and publish stolen files on a public leak site.  The FBI believes that the group, or affiliates associated with Hive, were responsible for the attack on Memorial Health System earlier this month, which disrupted IT systems at nearly all of its 64 clinics and three hospitals.  According to researchers at Palo Alto Networks, Hive had breached 28 organizations listed on its leak site as of this week, including a European airline company. 

Infosecurity reports: "FBI Warns Businesses of New Hive Ransomware"