In June 2021, Hive ransomware extorted $100 million from a thousand companies. Data from the FBI reveals that two-thirds of the ransoms were paid by small and medium-sized businesses, while 20% were paid by large corporations such as Microsoft, Apple, and Verizon. Most notably, one third of the ransoms were paid by state and federal governments in both the U.S. and other countries around the world.
How the FBI knows about the ransomware
The Fede Indicator of compromise (IOC) is a tool developed by the FBI to help organizations identify and mitigate ransomware infections.
The IOC can be used on any computer system or device running Windows.
It will scan for indicators of ransomware activity and provide results in a report that lists the IP address, timestamp, and other information related to the potential threat.
It also includes detection signatures that match known malicious files associated with many ransomware variants including CryptoWall, CTB Locker, TorrentLocker, Locky, Cryptowall 3.0, TeslaCrypt and others.
When these files are found on your system they are quarantined so they cannot spread and encrypt your data.
The indicator of compromise process identifies indicators when ransomware is being actively executed in memory.
The service queries all running processes, loaded modules, registered services and open ports.
When this takes place it monitors all memory changes which may indicate an active infection by executing ransomware code while continuously comparing these changes against malware families stored locally in the memory map database which has been indexed through static analysis techniques.
For each event that is detected and contains indicators of ransomware activity, the indicator of compromise immediately performs searches against its knowledge base to determine if there is a match.
If a possible indicator of ransomware activity matches one known to be present on the machine, then it notifies the user via an alert dialog box that provides instructions for immediate remediation steps.
The indicator of compromise does not perform any local file scanning or checking for rootkits.
What’s more, this software requires manual installation and you must reboot after installation.
And lastly, using the indicator of compromise is only recommended as a last resort because it could cause more damage than good.
The Federation offered advice to those who have fallen victim: Many companies that have been hit with ransomware follow what’s called a ‘wetted patch’ strategy, says special agent John Demers.
They basically wet down their systems–the entire network–in advance. What Demers means by wetting down is flooding computers with junk traffic in order to overload them enough that they stop functioning as platforms for launching attacks like ransomware against other computers.
What type of businesses are being targeted
The FBI is warning businesses to be on the lookout for this type of ransomware.
The Fede (a.k.a. Federal Department of Cybersecurity and Infrastructure) has issued an IOC that can help organizations identify Hive ransomware on their networks or computers.
The IOC is based on a new variant of the malware called GPCode that was found in a global phishing campaign targeting company executives and financial services professionals in August 2021.
The campaign included a malicious email that mimicked banking notifications, with a ZIP file containing GPCode as an attachment.
When opened by a user, it installed the malware on their machine.
If a computer has been infected with GPCode, it will not only infect other devices in the same network but also download files without authorization, log keystrokes, take screenshots and disable some security settings while encrypting data stored locally.
When finished encrypting data stored locally or across the network it will delete all shadow copies created by Windows Volume Shadow Copy Service (VSS).
Furthermore: The process for decryption is different for each version of Hive.
The oldest versions use RSA-2048 encryption and require a 1024-bit private key generated when installing the malware.
Some variants use AES-256 encryption with either one or two keys generated at installation time.
It’s difficult to determine which encryption scheme is being used because these keys are encrypted with another 2048-bit RSA key, which isn’t publically available.
Regardless of encryption scheme, the attacker needs both private keys for decryption purposes; one for symmetric AES-256 and one for asymmetric RSA-2048.
A full description of all versions would require reverse engineering the binaries themselves, which hasn’t been done yet because most are still circulating in active campaigns.
According to Reuters, Indicators of Compromise (IOCs) have been released so that companies can scan their networks or computers to check if they have Hive installed.
The following IOCs have been released so that companies can scan their networks or computers to see if they have Hive installed.
The indicator code release by Fede contains six YARA rules and five Snort rules, which should detect any currently known versions of GPCode.
How much money the gang has made
According to the FBI’s Jan. 31 update, the gang has earned over $5 million per day by extorting these companies and organizations.
In total, they have extorted over $100 million since June 2021. Hive ransomware is an advanced form of malware that infects a victim’s computer and encrypts their data with AES-256 encryption algorithm.
Data is only decrypted when ransom is paid in Bitcoin currency or via wire transfer to a designated account.
Indicator of compromise: The malware downloads a crypter from its C2 server which helps it bypass security software on the victim’s machine and avoid detection.
Crypters are programs designed to evade detection by antivirus programs while hiding malware executables.
If you think you may be infected with this strain of ransomware, please see our FAQ for more information about how you can recover your files without paying the ransom fee.
You may also want to check out our list of free online backup services if you don’t want to lose any data again.
It’s not just small businesses who are targeted; large multinational corporations like Lenovo, Daimler AG, Jaguar Land Rover, GE Healthcare and many others have fallen victim as well.
It appears that the hackers behind Hive had finally managed to release a working version of the new variant during October 2018 due to the installation delays on Windows 10 1809 (October 2018 Update) after Microsoft had withdrawn it due to installation issues.
They then used this newly released variant in December 2018 during Black Friday to ensure maximum exposure because there was plenty of unpatched computers available at the time.