W64/Hive.B0FF!tr.ransom

description-logoAnalysis

W64/Hive.B0FF!tr.ransom is a generic detection for a Ransomware Hive trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • [originalFile].exe : This file is detected as W64/Hive.B0FF!tr.ransom
    • HOW_TO_DECRYPT.txt : This file is dropped all over the affected hosts drive and will serve as ransom notes.
    • shadow.bat : this file is dropped by the malware, detected as BAT/DelShad.ABB6!tr, and is used to delete shadow copies of the affected hosts
    • hive.bat : this file is dropped by this malware, detected as BAT/DelHive.DF55!tr and used to delete the Hive original malware including itself, hive.bat script

  • Affected files of this Ransomware will use the filenaming format [originalFileName].[random 43 character].hive

  • This malware may target intends to encrypt any kind of filetype/extension

  • This malware was also observed to affect/encrypt files located on shared drives within the same subnet, dropping HOW_TO_DECRYPT.txt under network location.

  • The attacker indicates a list of Payment sites as listed below:
    • http://hivecust[Removed].onion/

  • Below is an illustration of the malware's Ransom notes and other effects:

    • Figure 1: Ransom notes.


    • Figure 2: Malware enlisting current actions done.


    • Figure 3: Malware enlisting current actions done.


    • Figure 4: Network shares are being affected as well.


  • Following are some of the near/exact IOCs/file hash associated with this detection:
    • Md5: 01C846BFC37B10EA43474E1781E0AF52
      Sha256: 50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609
    • Md5: 185C16888FAC9705C00B606235ABC83C
      Sha256: 612e5ffd09ca30ca9488d802594efb5d41c360f7a439df4ae09b14bce45575ec
    • Md5: 34C3A4538E89E2BC7CD66B01B6B21FFB
      Sha256: c5fe23c626413a18cba8fb4ea93df81529c85f470577fb9c2336d6b692689d9d
    • Md5: 504BD1695DE326BC533FDE29B8A69319
      Sha256: a0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749
    • Md5: 5AA5546C3BFFA188F1D9DE7FDAB67C22
      Sha256: bf7bc94506eb72daec1d310ba038d9c3b115f145594fd271b80fbe911a8f3964
    • Md5: 7202C948AA5AF1134EFDFE978EC6EF60
      Sha256: c04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11
    • Md5: 8240D60D83CB7C0248E64389855E29B4
      Sha256: fdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf
    • Md5: A0FB6A2A3EACBBA40D193690C0486C4E
      Sha256: 0df750bf15895d410c3f6ce45279ab0329c5c723af38b99aadc9a60bcdc9a71d
    • Md5: EB37BB967C8911BA8A3AD58E6A4A9578
      Sha256: ed614cba30f26f90815c28e189340843fab0fe7ebe71bb9b4a3cb7c78ff8e3d2


recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-11-20 91.08976
2022-05-31 90.02802
2022-04-19 90.01542
2022-03-04 90.00167
2022-02-15 89.09653
2021-11-30 89.07343
2021-11-16 89.06936
2021-11-10 89.06750
2021-10-12 89.05871
2021-09-13 89.00890