On November 25th, 2022, Vigilance MDR analysts alerted WatchTower researchers to an incident involving Hive ransomware. Our analysis of the kill chain revealed attackers using well-known applications, such asnet.exe, Advanced IP Scanner,WMIC.exe, and ScreenConnect for data exfiltration and lateral movement.
The FBI released a joint cybersecurity advisory warning the public about Hive ransomware activity in November 2022. According to this statement, “Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately $100 million USD in ransom payments, according to FBI information and target wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).”
While the Sentinel Agent can quickly detect and mitigate this threat in client environments, WatchTower will continue monitoring for signs of Hive ransomware activity and will update readers as necessary. Please read our previous coverage on Hive ransomware here, here, and here.
Technical Details: Hive Ransomware uses the following hash value -SHA1:[52da036e181189029f3f35ed4e8df6578170a862 and83f48bbbbdc48a84751f06ab27fbf6f576450e3f]