The Hive ransomware group has exploited more than 1,300 companies, a new joint alert warns, netting about $100 million in payments. The group has particularly focused on the health sector. (Photo by Chip Somodevilla/Getty Images)

A new joint alert details the spate of cyberattacks and data extortion efforts of the Hive ransomware group to support entities with identifying known IOCs and attack methods, with a particular focus on the health and public health sectors.

The FBI, Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services warn that as of this month, Hive actors have successfully exploited more than 1,300 companies globally and nefariously earned about $100 million in ransom payments for their efforts.

Just six months ago HHS warned healthcare that Hive is exceptionally aggressive in its attacks against the healthcare sector. The alert followed the attack and subsequent outage against Partnership HealthPlan in May of this year.

Hive “follows many of the typical practices, including infection vectors, ransom note, data exfiltration and double extortion and maintaining a name-and-shame dark website,” according to the earlier HHS alert. “They also have a set of unique capabilities that make them especially noteworthy.”

The group follows a ransomware-as-a-service (RaaS) model, wherein the developers create and update the malware for affiliate members to deploy the cyberattacks.

Since June 2021, the model has been used to target a range of industries, including critical infrastructure organizations like healthcare. Its first healthcare victim was Memorial Health System in August 2021, which led to emergency care diversion and downtime procedures. Hive later posted healthcare data tied to 200,000 patients, allegedly stolen ahead of the attack.

Access is gained in various ways, including the use of single-factor logins to Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote connection protocols. But the group is also known to bypass multi-factor authentication against known vulnerabilities in FortiOS servers.

The threat actors commonly leverage phishing emails and exploit Microsoft Exchange Server flaws, as well. What makes Hive so successful is the group’s ability to evade detection before deploying the ransomware payload.

During the dwell time, the group works quickly to determine backup processes, security tools, and files, “then terminating those processes to facilitate file encryption.” The actors also remove virus definitions and disable antivirus programs in the system registry, before exfiltrating data.

Further, the key required for decryption “only exists on the machine where it was created and cannot be reproduced.” The ransom note “contains a ‘sales department’ .onion link accessible through a TOR browser, enabling victim organizations to contact the actors through a live chat panel to discuss payment for their files.” But Hive is also known to call or email victims.

Perhaps more concerning, these actors are known to reinfect the networks of their victims, particularly those “who have restored their network without making a ransom payment.”

All organizations, “especially healthcare and public health,” are being urged to implement the report’s recommendations to reduce the likelihood and impact of a Hive ransomware incident and to report known compromises to their local field office. The report includes highly specific tactics deemed effective in the fight against Hive actors.

The alert comes on the heels of the recent Hive leak of Lake Charles Memorial Health System, as reported by an industry report and confirmed by local media outlets after the leak was publicized. In a statement, LCMH confirmed they “quickly identified and blocked” suspicious activity on its network, but no patient care or clinical operations were impacted.

Despite the reported short-lived dwell time, Hive actors were able to exfiltrate some patient information. The hospital is working with local law enforcement on its investigation and reported the incident to the FBI, as recommended.

Hendry Regional Medical Center and Southwell, Inc. were also listed on the Hive leak site in the last six months.