The Federal Bureau of Investigation (FBI) has issued a security alert regarding the Hive ransomware attacks, which provides technical data and indicators of compromise related to the gang's operations. The gang recently targeted Memorial Health System, which was compelled to shut down some of its activities.
The new Hive ransomware, according to John Riggi, senior advisor for cybersecurity at the American Hospital Association, is of particular concern to healthcare organizations. Hive has targeted at least 28 companies so far, including Memorial Health System, which was infected by ransomware on August 15. Across Ohio and West Virginia, the non-profit operates a number of hospitals, clinics, and healthcare facilities.
The attack, led Memorial, which is situated in Ohio, to stop user access to IT applications. All urgent surgery cases and radiology exams were canceled for August 16th, but all general care visits went through as planned. While systems were restored, staff at Memorial's hospitals - Marietta Memorial, Selby, and Sistersville General Hospital – had to rely on paper records.
Hive ransomware has been active since June 2021, and it uses a Ransomware-as-a-Service model with a wide range of tactics, techniques, and procedures (TTPs). According to government experts, the gang uses a variety of methods to infiltrate victims' networks, including phishing emails with malicious attachments to acquire access and Remote Desktop Protocol (RDP) to move around once on the network.
"After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim's system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, 'HiveLeaks,'" the FBI explained. "Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a .hive extension."
Before directing victims to a link to the group's "sales department" that can be reached through a TOR browser, the alert explains how the ransomware corrupts systems and backups. The link connects victims to a live chat with the perpetrators, but the FBI reports that some victims have been called by the attackers demanding ransom. The majority of victims have a payment deadline of two to six days, however, some have been able to extend their deadlines through negotiation.