FBI Shares Hive Ransomware IoCs in New Alert

Hive ransomware was first spotted in June 2021 and likely operates as an affiliate-based threat.

Dark Reading Staff, Dark Reading

August 27, 2021

1 Min Read
Dark Reading logo in a gray background | Dark Reading

The FBI has published an alert containing the technical details and indicators of compromise (IoCs) pertaining to Hive ransomware, a relatively new threat first observed in June 2021.

Officials say Hive likely operates as an affiliate-based ransomware and uses multiple tactics, techniques, and procedures (TTPs) to compromise enterprise networks. Once on a network, Hive attackers exfiltrate data, encrypt files on the network, and leave a ransom note in each affected directory on a target system.

"Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption," officials report. "The encrypted files commonly end with a .hive extension." They also note how the ransomware drops a file into the directory to delete shadow copies, including disc backup copies or snapshots, without alerting the victim.

The ransom note contains instructions on how to buy decryption software and threatens to leak the victim's stolen data on a Tor site dubbed "HiveLeaks." A link is provided to Hive's "sales department," which is accessed via Tor and connects victims to attackers via chat. Some victims have received phone calls from Hive attackers requesting payment for their files.

The indicators shared in the alert were used by attackers during Hive ransomware attacks, officials note.

Read the FBI's full alert for more information.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights