If the FBI and Europol had infiltrated Hive in July, why was the takedown now? Sure, they intercepted encryption keys, but they allowed hundreds of orgs to be victimized costing untold millions of dollars in damages. Combined with the lack of arrests, can it be justified as having been worth it in the end? #InfoSec #HiveRansomware

Woke up to some interesting news today. It would appear that the #HiveRansomware Gang has been taken down. https://www.scmagazine.com/analysis/ransomware/notice-on-hive-ransomware-site-claims-seizure-by-fbi-europol?external_id=HBwZ-n4B490LDY0Z-dKj&external_id_source=mrkto&mkt_tok=MTg4LVVOWi02NjAAAAGJjgDjxI7Quxnvn1dDKVtkFHU7zdk93j0TL7ocD2SwuAAcr1k2YbWxSGv7tfEHn6GOvCcebcAwc3X5co3AlFFNixo9Hty9BWX4VsvTCEiG_Q

I checked around some #DarkWeb forums, and it would appear this actually happened in a joint, international effort. The #USDOJ claims to have "hacked the hackers", took down their #TOR site, and have apparently #decrypted 1500 companies. If it sticks, this is a big win for the #GoodGuys. Bye bye #Hive!

Good morning whats all this then #HiveRansomware #ransomware

Check out the latest cybersecurity news you need to know in today's Metacurity. Lead items via @seanhollister @serghei @nakashimae @timstarks @billtoulas
@kevincollier @nateschweber @alng @snlyngaas @jaypeters

#northkorea #eufy #blackcatransomware #Hiveransomware #infosec #cybersecurity
https://metacurity.substack.com/p/north-korea-hackers-stole-625-million

I have been seeing A LOT of verified compromises circulating hacker forums because of #BlackCat, #LockBit, #HiveRansomware, #Mallox, #BlackBasta #RoyalRansomware, #BianLian, #CubaRansomware, #BloodyRansomwareGang, #RansomEXX - I'm talking multiple terabytes of data, hundreds of millions of account details, across pretty much every single sector. Most common method of infection? #BusinessEmailCompromise! Be super mindful of the links you click on, the attachments you download, and the sites you visit

Additional coverage and attribution to #HiveRansomware 👇​
SentinelOne: https://www.sentinelone.com/labs/driving-through-defenses-targeted-attacks-leverage-signed-malicious-microsoft-drivers/

Mandiant: https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware

S1 observed "deployment of Hive ransomware against a target in the medical industry" :blobcatnotlikethis:​

HIVE v5 file decryptor on GH:

https://github.com/reecdeep/HiveV5_file_decryptor

#ransomeware #hive #HiveRansomware

#CISA advisory with @FBI and @HHSGov that provides technical details and #IOCs on #HiveRansomware being 👇🏾

https://www.cisa.gov/uscert/sites/default/files/publications/aa22-321a_joint_csa_stopransomware_hive.pdf

Since this an @ioc.exchange here's a list TTPs and IOCs from CISA/FBI/HHS for the #HiveRansomware published today: https://www.cisa.gov/uscert/ncas/alerts/aa22-321a

Two new Fully Undetected ESXi #HiveRansomware samples uploaded to Virustotal:
https://www.virustotal.com/gui/file/f3e906f6f266737314886d829741d80a624d406ca22910fea45633a0dd7200c4
https://www.virustotal.com/gui/file/80adf4f637351479d72866122d9e15765d36d212c4ef2542576603d686dfd838

Some very nasty string obfuscation.
Procedure is a little different for each string, complicating static signature writing.