The Hive ransomware variant has made its operators and affiliates around $100 million so far from over 1300 global companies, according to a new alert.
The joint advisory was released yesterday by the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS).
The estimated profits generated by the ransomware-as-a-service (RaaS) variant come over a period of around 15 months, after it was first discovered back in June 2021.
Victim organizations have come from a wide variety of verticals including government, communications, critical manufacturing and IT, although the group apparently has a particular focus on healthcare.
In the past, the group’s affiliates gained initial access to victim networks via phishing emails containing booby-trapped attachments that exploited Microsoft Exchange Server vulnerabilities.
They've also focused on remote desktop infrastructure.
“Hive actors have gained initial access to victim networks by using single-factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs) and other remote network connection protocols,” the alert explained.
“In some cases, Hive actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting CVE-2020-12812. This vulnerability enables a malicious cyber-actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.”
Post-intrusion activity includes terminating backup and antivirus (AV) processes, removing shadow copy services and deleting Windows event logs including System, Security and Application logs.
The group also disables Windows Defender and other common AV programs in the system registry prior to exfiltrating and encrypting data.
The alert warned that Hive actors have been known to reinfect victim networks if organizations restored from backups without making a ransom payment.