Various ransomware gangs target specific industries and demand a ransom to prevent disruption of services. While this is a nightmare for healthcare, the Hive ransomware gang has emerged, carrying out several attacks this year alone. It's a particularly nasty example of ransomware.
And, to address the severity of the concern, the FBI put out a public statement with technical information about Hive ransomware. So how does Hive ransomware work? And how can you protect yourself?
What Is Hive Ransomware?
Hive ransomware got the spotlight in June 2021. Unlike some other ransomware attacks, this is believed to be affiliate-based ransomware. In other words, it uses a Ransomware-as-a-Service model.
Any criminal could perform ransomware attacks and profit from them using this business model without knowing how it all works. Yes, without knowing a single line of code, an attacker can start performing ransomware attacks.
The FBI Warns About Hive Ransomware
Recently, the ransomware group hit the Memorial Health System on August 15, which forced them to cancel surgeries and divert patients for a while.
And so, the FBI posted an alert for the public to know what to look out for and keep an eye out for the notorious Hive ransomware group.
Here’s How Hive Ransomware Works
Hive ransomware applies a wide variety of tactics, techniques, and procedures (TTPs) to ensure that the attack is effective.
It takes the traditional approach of phishing to affect a system, where you can expect a malicious file attached in an email. The file may look harmless, but the ransomware gets to your system and starts working as soon as you access it.
Hive ransomware also scans your system for any processes related to backing up, antivirus or any other security protection, and file copying. And then it terminates all such processes to sink the defense mechanisms.
Once infected, it encrypts files in the network and demands a ransom along with a warning to leak the files to its “HiveLeaks” portal, which you can only access via the Tor browser.
You can spot the affected files with a .hive extension. The Hive ransomware also slips a .bat script in the affected directory to clean up the files after the encryption is complete.
After the clean-up of your original files, a second shadow.bat script is also dropped by the ransomware to clean any shadow or backup copies of your data found.
Everything happens without notifying the user. So you will only realize its presence when you come across a directory with .hive encrypted files. You will further notice a text file that instructs you on how to decrypt the files. This will take you to a sales department link, accessible through the Tor browser, connecting you to the ransomware attackers for a live chat.
You will then have two to six days to pay the ransom. They could extend it if you are in the progress of negotiating with them.
How to Stay Safe From Hive Ransomware
Hive ransomware relies on phishing emails to fool users with legitimate software that could be essential for your enterprise. For instance, you can be encouraged to download a 7zip executable file (legit software) and get affected by the ransomware.
The attackers also seem to use file-sharing services like MEGA, SendSpace, and similar alter while making the file link look harmless and trustworthy.
So keep an eye out for suspicious links. You also need to verify and confirm before downloading any executable files to your computer. Don't click on anything you're not 100 percent sure about.
In addition to that, you should utilize the cloud or a separate storage drive (not connected to your network) to back-up all your critical data to avoid paying the ransom.