Hive Ransomware

 







Introduction

Firstly discovered in June, 2021, Hive is affiliate-based ransomware, that targets healthcare facilities, nonprofits, retailers, energy providers, and other sectors worldwide. It has a Ransomware-as-a-service model enabling its affiliates to use Hive as they want. 

They generally uses common ransomware techniques, tactics, and procedures to intrude into their victims' devices, exfiltrate sensitive data, and encrypt business files. Also, phishing emails having malicious attachments, leaking VPN credentials, and exploiting external vulnerabilities, are used by the affiliates to compromise a network. Hive sends a plain-text ransom note threatening to leak the data of their victims on their TOR website 'HiveLeaks' if they do not meet their demands. 

It is believed that Hive is an Russian organization. According to their website, they have targeted institutes from more than 20 countries since its emergence from far west, the USA, to the far east, Japan.

How does it works? 

FBI discovered that these gangs use a variety of TTPs for their attacks. 82% of breaches occurred via phishing tricks, that allowed them to use their malicious attachments to infiltrate critical systems and Remote Desktop Control to move horizontally across the network. 

This ransomware can encrypt critical files, and then distribute two malicious scripts (hive.bat and shadow.bat) for cleanup. After that, they threatens their victims with the leakage of their files on the dark web on HiveLeaks. They always leave a ransom note on each affected directory with the instructions of gaining decryption software. 

They communicate the ransom amount and payment deadline to the victim on live chat. They also negotiate the ransom demands in U.S. dollars, with the initial amount ranging from several thousand dollars to millions. They demand bitcoin payment. 

Prevention

General methods to combat a ransomware attack are as follows-
  • Mandatory strong password policies and multi-factor authentication for all critical services.
  • Use updated or modern Identity and Access Management (IAM) tools.
  • Employ advanced endpoint security products on all endpoints.
  • Regularly update all the software and operating systems. 
  • Have the least privilege approach to security, including the removal of all the unnecessary access to administrative shares and other services.
  • Administer a solid backup strategy including offline, encrypted, and immutable backup of data.



















































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)