- HIVE DEFENDER ICON FOR FREE
- HIVE DEFENDER ICON FULL
- HIVE DEFENDER ICON CODE
- HIVE DEFENDER ICON WINDOWS
HIVE DEFENDER ICON FULL
Furthermore, this ransomware contains functionalities that make the execution slow, such as “wiping” the disk until it’s full to avoid file restoration. Instead, Hive creates a unique key that is eventually encrypted and written into disk, making the decryption process irreversible if this file is deleted by accident.
Usually, the encryption process implemented by ransomware in the wild is to generate a unique symmetric key for each file, that is eventually encrypted and stored along with the encrypted data, so it can be recovered later. However, the process used to encrypt the files is quite unusual. Hive is yet another ransomware group that is likely operating in the RaaS model. Once the key is loaded and decrypted, Hive scans all directories searching for encrypted files, and then proceeds with the decryption process. Both of them are packed with UPX, which is an open-source executable packer.
HIVE DEFENDER ICON WINDOWS
We have analyzed two different samples, being 32 and 64-bit Windows versions of the malware.
HIVE DEFENDER ICON CODE
The ransomware was written in Go, an open-source programming language that allows cross-compilation, meaning that the same source code can be compiled to different OS, such as Linux, Windows, and macOS.Īlthough we have only seen Windows versions in the wild at this point, we have strong indications that the group is able to infect other systems such as Linux, as well as the Hypervisor ESXi, as we will demonstrate later in the analysis. The attackers moved the Bitcoins to another wallet just a few minutes after the transaction was made by MHS.Īside from the decryptor, the attackers also promise a security report, a file tree describing all stolen data, and the logs proving that they had erased everything from their servers.
HIVE DEFENDER ICON FOR FREE
MHS tried to appeal to the attackers to provide the decrypter for free but ultimately ended up paying 1.8M, divided equally into two Bitcoin wallets. The attackers claim to have stolen patient data including names, social security numbers, dates of birth, addresses and phone numbers, and medical histories for 200,000 patients, and an additional 1.2 TB of other data. The Hive ransomware infected the Memorial Health System (MHS) on August 15, 2021. There are two websites maintained by the group, the first one is protected by username and password, accessible only by the victims who obtain the credentials in the ransom note.įigure 05. In addition to encrypting files, Hive also steals sensitive data from networks, threatening to publish everything in their HiveLeak website, hosted on the deep web, which is a common practice among ransomware working in this double extortion scheme. According to the FBI, the group uses phishing emails with malicious attachments to gain access into networks, allowing the attackers to move laterally over the network to steal data and infect more machines. On August 15, 2021, Hive ransomware was responsible for an attack against the Memorial Health System, a non-profit integrated health system with three hospitals in Ohio and West Virginia (Marietta Memorial Hospital, Selby General Hospital, and Sistersville General Hospital), causing radiology exams and surgical cases to be canceled. However, this code of ethics is not always adopted by attackers, as is the case with Hive, a new family of ransomware discovered in June 2021. For example, the BlackMatter ransomware states they are not willing to attack hospitals, critical infrastructure, defense industry, non-profit companies, and oil and gas industry targets, having learned from the mistakes of other groups, such as DarkSide, who shut down its operations after the Colonial Pipeline attack. Most ransomware groups operating in the RaaS (Ransomware-as-a-Service) model have an internal code of ethics that includes avoiding breaching some specific sectors, such as hospitals or critical infrastructure, thus avoiding great harm to society and consequently drawing less attention from law enforcement.