W64/Hive.B0FF!tr.ransom
Analysis
W64/Hive.B0FF!tr.ransom is a generic detection for a Ransomware Hive trojan.
Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- [originalFile].exe : This file is detected as W64/Hive.B0FF!tr.ransom
- HOW_TO_DECRYPT.txt : This file is dropped all over the affected hosts drive and will serve as ransom notes.
- shadow.bat : this file is dropped by the malware, detected as BAT/DelShad.ABB6!tr, and is used to delete shadow copies of the affected hosts
- hive.bat : this file is dropped by this malware, detected as BAT/DelHive.DF55!tr and used to delete the Hive original malware including itself, hive.bat script
- Affected files of this Ransomware will use the filenaming format [originalFileName].[random 43 character].hive
- This malware may target intends to encrypt any kind of filetype/extension
- This malware was also observed to affect/encrypt files located on shared drives within the same subnet, dropping HOW_TO_DECRYPT.txt under network location.
- The attacker indicates a list of Payment sites as listed below:
- http://hivecust[Removed].onion/
- Below is an illustration of the malware's Ransom notes and other effects:
- Figure 1: Ransom notes.
- Figure 2: Malware enlisting current actions done.
- Figure 3: Malware enlisting current actions done.
- Figure 4: Network shares are being affected as well.
- Following are some of the near/exact IOCs/file hash associated with this detection:
- Md5: 01C846BFC37B10EA43474E1781E0AF52
Sha256: 50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609 - Md5: 185C16888FAC9705C00B606235ABC83C
Sha256: 612e5ffd09ca30ca9488d802594efb5d41c360f7a439df4ae09b14bce45575ec - Md5: 34C3A4538E89E2BC7CD66B01B6B21FFB
Sha256: c5fe23c626413a18cba8fb4ea93df81529c85f470577fb9c2336d6b692689d9d - Md5: 504BD1695DE326BC533FDE29B8A69319
Sha256: a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749 - Md5: 5AA5546C3BFFA188F1D9DE7FDAB67C22
Sha256: bf7bc94506eb72daec1d310ba038d9c3b115f145594fd271b80fbe911a8f3964 - Md5: 7202C948AA5AF1134EFDFE978EC6EF60
Sha256: c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11 - Md5: 8240D60D83CB7C0248E64389855E29B4
Sha256: fdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf - Md5: A0FB6A2A3EACBBA40D193690C0486C4E
Sha256: 0df750bf15895d410c3f6ce45279ab0329c5c723af38b99aadc9a60bcdc9a71d - Md5: EB37BB967C8911BA8A3AD58E6A4A9578
Sha256: ed614cba30f26f90815c28e189340843fab0fe7ebe71bb9b4a3cb7c78ff8e3d2
- Md5: 01C846BFC37B10EA43474E1781E0AF52
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |