Day 2: Hive Ransomware

Hive ransomware implements a phishing email attack to access a victim’s environment or download the malicious payload. Once the payload is downloaded, Hive seeks processes related to backups, anti-virus/anti-spyware, and file copying, and terminates the processes to begin file encryption. The encrypted files are most commonly identified with the extensions above. Hive then drops a script into the directory which forces an execution timeout delay of one second to perform cleanup after encryption is complete by deleting the Hive executable and hive.bat script. 

A second file, shadow.bat, is dropped into directory to delete shadow copies, including disc backup copies without victim detection and then deletes the shadow.bat file. During the encryption process, files are renamed with a double final extension of .key.hive or .key. 

The ransom note is dropped into each affected directory and states the .key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered. The note contains a “sales department” link, accessible through a TOR browser, which allows victims to contact threat actors through a chat box. Hive attempts to make their operation feel like it’s a regular business model.

There have been reports of victims receiving phone calls from the threat actors with requests of payments for their files. The usual proposed deadlines for payment goes from 2 to 6 days on average but is extended when contact is made by the victim. In attempts to persuade the victims into paying the ransom, Hive mentions in their ransom note that victims who have not paid the ransom demand.