Feds Alert Healthcare, Other Sectors of Growing Hive ThreatsCISA, FBI and HHS Provide Lists of Latest IoCs and TTPs Identified
U.S. federal authorities are warning critical infrastructure sectors including healthcare to be on the lookout for indicators of Hive ransomware.
As of this month, Hive actors - who follow a Ransomware-as-a-Service model - have hit more than 1,300 companies worldwide, collecting about $100 million in ransom payments, says a Thursday joint alert from the Cybersecurity and Infrastructure Security Agency, the FBI and the Department of Health and Human Services.
The warning provides an updated list of Hive technical indicators of compromise and tactics, techniques and procedures identified through FBI investigations as recently as November 2022.
From June 2021 through this month, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors.
Healthcare is a particular favorite for Hive affiliates because hospitals and other medical providers often pay ransoms in hopes of avoiding long outages of critical IT systems for patient care, says Adam Meyers, senior vice president of intelligence at security firm CrowdStrike.
Hive threat actors also exfiltrate data, demanding ransoms for stolen records that they threaten to publish on the dark web. "These are major HIPAA concerns," and the attackers know healthcare entities often feel compelled to pay in hopes of minimizing the fallout, Meyers tells Information Security Media Group.
Hive actors negotiate ransom demands in U.S. dollars, with payments in bitcoin. Initial ransom amounts range from several thousand dollars to millions of dollars.
For organizations that have been able to restore their network without making a ransom payment, Hive actors have been known to reinfect these victims, either with Hive ransomware or a variant, the alert says.
Hive has already been the subject of federal alerts, including one issued in April by HHS' Health Sector Cybersecurity Coordination Center warning about the cybercrime operation aggressively targeting healthcare and public health sector organizations (see: HHS HC3 Warns Healthcare Sector of Hive Threats).
In the healthcare sector, the group has been linked to attacks including a ransomware assault experienced by Partnership HealthPlan of California, a nonprofit managed care health plan.
But not just entities in the U.S. healthcare and public health sector have been targeted by Hive. In late May, Costa Rica's national public health services agency was hit by a cyberattack allegedly launched by the ransomware group (see: Costa Rican Health Agency Hit by Apparent Hive Attack).
Raj Samani, senior vice president and chief scientist at security firm Rapid7, tells ISMG that his firm's research shows that between April 2020 and February 2022 the healthcare sector and pharmaceuticals industry were the sectors that suffered the most ransomware incidents. He says 71% of data disclosures in the sector involved finance and accounting data and 58% affected patient data.
Hive's method of initial intrusion depends on which affiliate targets the network. Hive actors can gain initial access to victim networks by using single-factor logins via remote desktop protocol, virtual private networks and other remote network connection protocols. "In some cases, Hive actors have bypassed multifactor authentication and gained access to FortiOS servers by exploiting CVE-2020-12812," the alert says.
"This vulnerability enables a malicious cyber actor to log in without a prompt for the user's second authentication factor (FortiToken) when the actor changes the case of the username."
Hive actors have also gained initial access to victim networks through phishing emails with malicious attachments and by exploiting vulnerabilities in Microsoft Exchange servers, the alert says.
Known Hive IoCs
"Organizations need multiple layers of defense against ransomware attacks in order to protect themselves," Samani says. "This includes not just technologies to detect potential intrusion or lateral movement but also implementing security controls should the threat remain undetected, such as the use of file encryption."