The FBI has published an alert containing the technical details and indicators of compromise (IoCs) pertaining to Hive ransomware, a relatively new threat first observed in June 2021.
Officials say Hive likely operates as an affiliate-based ransomware and uses multiple tactics, techniques, and procedures (TTPs) to compromise enterprise networks. Once on a network, Hive attackers exfiltrate data, encrypt files on the network, and leave a ransom note in each affected directory on a target system.
"Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption," officials report. "The encrypted files commonly end with a .hive extension." They also note how the ransomware drops a file into the directory to delete shadow copies, including disc backup copies or snapshots, without alerting the victim.
The ransom note contains instructions on how to buy decryption software and threatens to leak the victim's stolen data on a Tor site dubbed "HiveLeaks." A link is provided to Hive's "sales department," which is accessed via Tor and connects victims to attackers via chat. Some victims have received phone calls from Hive attackers requesting payment for their files.
The indicators shared in the alert were used by attackers during Hive ransomware attacks, officials note.
Read the FBI's full alert for more information.