The FBI has investigated the machinations of the Hive ransomware. It was found that more than 1.300 companies worldwide were harmed and about 100 million dollars were extorted. Media Markt and Saturn were prominent victims in Germany.
The FBI has created a Cybersecurity Advisory (CSA) based on its investigation into the Hive ransomware. The included hints, insights and publications are valuable hints for network defenders. The findings were published on the CISA project page Stop ransomware published.
Loot of $100 million
As of November 2022, Hive ransomware actors have harmed over 1.300 companies worldwide and received around $100 million in ransom payments, according to the FBI. In November 2021, Hive launched cyber attacks against Media Markt and Saturn and blackmailed them. Hive ransomware follows the ransomware-as-a-service (RaaS) model, where developers create, maintain, and update the malware, and partners execute the ransomware attacks.
From June 2021 through at least November 2022, threat actors deployed Hive ransomware to target a wide range of businesses and critical infrastructure, including government facilities, communications facilities, critical manufacturing facilities, information technology, and most notably healthcare and social services.
Classic attack scenarios
The method of initial penetration depends on which company is attacking the network. Hive actors have gained initial access to victim networks by logging in via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other single-factor remote network connection protocols.
In some cases, Hive actors have bypassed multi-factor authentication (MFA) and gained access to FortiOS servers by exploiting the CVE-2020-12812 vulnerability. This vulnerability allows a malicious cyber actor to log in without being prompted for the user's second factor of authentication (FortiToken) if the actor changes the case of the username.
Hive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments and exploiting the following vulnerabilities in Microsoft Exchange servers.
More at CISA.gov.com