HHS Warns of 'Exceptionally Aggressive' Hive Ransomware
The ransomware-as-a-service group has been on a tear, compromising hospitals and healthcare facilities, since June 2021.
The U.S. government is again warning hospitals and healthcare facilities to heighten their awareness around a strain of ransomware
Just as it did earlier this year with the BlackMatter group and the Lockbit group, the United States Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warned organizations this week about the capabilities of the Hive ransomware group and stressed they take efforts to protect themselves.
“Hive is an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently,” the warning reads, “HC3 recommends the Healthcare and Public Health (HPH) Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.”
Conti has understandably commanded headlines for the wrath its incurred on the healthcare industry but operating in the background, perhaps to less fanfare, has been Hive.
Hive isn't new - it first surfaced in June 2021, the FBI warned about the ransomware two months later in August - but recent incidents, including the disruption of a Californian healthcare organization in March, have kept it on the radar of defenders.
The group has targeted entities in the healthcare sector with scores of hospitals and medical centers falling victim to the ransomware since last summer.
Recent estimates claim that affiliates peddling the ransomware impacted hundreds of companies last fall alone. In one attack, the group reportedly stole 850,000 unique records - roughly 400 gigabytes of data - from one organization. In another, it boasted stealing 119,00 files - roughly 225 gigabytes - from another facility.
Lately, the group has targeted Microsoft Exchange servers vulnerable to ProxyShell, a set of vulnerabilities uncovered last summer that allow remote code execution without authentication.
While the group has found success, it's not exactly sophisticated; its modus operandi is similar to other ransomware groups from the last few years in the sense that it carries out double extortion - stealing the data before encrypting it - and maintaining a dark web site it can use to name and shame victims. Like most ransomware groups of late, it operates as a ransomware-as-a-service, which allows the group to hire affiliates to secure access to a target while the developers focus on refining the malware.
According to the HHS warning, Hive has also taken to using some of the practices previously used by operators behind the Black Cat strain of ransomware.
It makes sense that one group would want to emulate another's tactics, techniques, and procedures (TTPs), especially when it's Black Cat. The group has made inroads of its own over the past few months, compromising at least 60 organizations worldwide, according to the FBI this week. It's also a pioneer of sorts, being the first ransomware group to use RUST, viewed by many as a safer, more reliable programming language. While the group shoots for the moon by asking for millions of dollars in Bitcoin and Monero from victims, it will often accept payments below what it demands.
HHS is encouraging defenders at hospitals and healthcare organizations to remain vigilant when it comes to ransomware like Hive. That means reviewing guidance published by the Department of Homeland Security and the Cybersecurity Infrastructure Security Agency, along with threat briefs and alerts issued by the HC3 team.
It's also stressing organizations to do the following, if they're not already, to prevent a ransomware attack:
- Use two-factor authentication with strong passwords – this is especially applicable for remote access services such as RDP and VPNs.
- Sufficiently backing up data, especially the most critical, sensitive and operationally necessary data is very important. We recommend the 3-2-1 Rule for the most important data: Back this data up in three different locations, on at least two different forms of media, with one of them stored offline.
- Continuous monitoring is critical, and should be supported by a constant input of threat data (open source and possibly proprietary as well)
- An active vulnerability management program must be comprehensive in scope and timely in implementation of the latest software updates. It should apply to traditional information technology infrastructure as well as any medical devices or equipment that is network-connected.
- Endpoint security should be comprehensive in scope and updated with the latest signatures/updates aggressively
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business