Since July 2021, the Hive ransomware group has victimized over 1,300 companies worldwide and received about $100 million in ransom payments, according to the Federal Bureau of Investigation (FBI).
In a Nov. 17 joint Cybersecurity Advisory (CSA), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the FBI warned organizations of the threat actor’s tactics used to extort millions of dollars in ransom payments as of November 2022.
“From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and especially healthcare and public health,” the CSA says as part of the latest push in the agencies’ #StopRansomware campaign.
More recently, Hive took credit for an attack against Guilford College in North Carolina, but according to the CSA, the ransomware group is known for targeting healthcare organizations.
Last year the group claimed multiple healthcare victims, including an attack on Memorial Health System that resulted in appointment cancellations and clinical disruptions. The Ohio and West Virginia hospital system ended up paying a ransom to the attacker.
While the agencies do not recommend that organizations ever pay a ransom, the CSA warned that Hive actors have been known to reinfect victims’ networks after they have been restored following an attack.
The three agencies found that Hive actors gain initial access to networks by using single factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocols, bypassing multifactor authentication (MFA), and phishing emails.
FBI, CISA, and HHS recommended that all organizations – especially those in the healthcare sector – implement a variety of mitigations to reduce risk.
Healthcare organizations should install updates for software, firmware, and operating systems as soon as they are released, require phishing-resistant MFA, and maintain offline data backups. In addition, organizations were encouraged to ensure all backup data is encrypted and install and regularly update antivirus software.
The Federal agencies also urged organizations to prepare for cyber incidents by reviewing the security postures of third-party vendors, documenting external remote connections, and implementing a recovery plan. In the event of a Hive ransomware attack, organizations should isolate infected systems, secure backups, and turn off other computers and devices to manage the attack.
