Rewterz Threat Alert – Hive or BlackCat/ALPHV – Active IOCs

Severity

Medium

Analysis Summary

Hive ransomware was first observed in the June of 2021. The ransomware group majorly targeted the Healthcare sector and uses several platforms like EXSi, Linux, hypervisors, and Windows. Hive used Goland for their ransomware. The ransomware possesses the capability to move laterally within the victim organization and escalate privileges to encrypt and steal data. The group uses phishing emails to lure the victims.

Researcher rivitna recently found that Hive’s new feature set now resembles that of BlackCat/ALPHV. In case of a ransomware attack, the victim is urged by the threat actor to communicate via a given link. This link contains information on the ongoing negotiations. However, if a malware sample is uploaded on a malware analysis service, security researchers can find these links and tap the communications. The BlackCat group prevented this from happening by removing Tor negotiations URLs from their encryptors. Hive has followed suit and now “requires the attacker to supply the username and login password as a command-line argument when launching the malware.”

Another way in which Hive has copied BlackCat is by shifting from Golang to the Rust programming language.

Impact

• Unauthorized Access
• Data Exfiltration
• File Encryption
• Financial Loss

Indicators of Compromise

MD5

• eda8d43b2912eba1eb9379b66aa782cc

SHA-256

• 2e52494e776be6433c89d5853f02b536f7da56e94bbe86ae4cc782f85bed2c4b

SHA-1

• f1a8eedd429446b93574105e205bd12d980a0040

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Don’t open emails and messages from unknown or suspicious sources.