Feds warn healthcare providers of 'exceptionally aggressive' ransomware group

Although Hive has only been operational since June 2021, it has reportedly breached hundreds of organizations.
By Kat Jercich
04:18 PM

Photo: Soumil Kumar

The U.S. Department of Health and Human Services' cybersecurity arm released a warning this week about the ransomware group Hive.  

Described as an "exceptionally aggressive, financially motivated ransomware group," Hive has frequently targeted healthcare organizations, said the Health Sector Cybersecurity Coordination Center in its analyst note.  

"HC3 recommends the Healthcare and Public Health Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise," said the agency.  

WHY IT MATTERS  

Hive has only been operational since June 2021, the agency explained, but it has spent the intervening months aggressively targeting the U.S. healthcare sector.   

It cited reports of Hive affiliates breaching more than 350 companies over just four months – an average of three companies a day

The analyst note highlighted several operational features of Hive, including:

  • "Double extortion," or conducting data theft before encryption.
  • Ransomware-as-a-service model.
  • The use of the Golang language, as well as common infection sectors such as RDP and VPN compromise, along with phishing.
  • Encrypted files ending with a .hive, .key.hive or .key extension.
  • Phone calls to some victims pressuring them to pay and conduct negotiations. 

"Like some other ransomware variants, Hive searches victim systems for applications and processes which backup data and terminates or disrupts them. This includes deleting shadow copies, backup files and system snapshots," said HC3.  

The analysts noted that although much of Hive’s operations are typical for ransomware operators, they also "have a set of unique capabilities which make them especially noteworthy" – particularly the wide variety of tactics, techniques and procedures.

HC3 advised organizations to rely on practices including two-factor authentication, sufficient data backups, continuous monitoring, an active vulnerability management program and comprehensive endpoint security.  

THE LARGER TREND  

HC3 isn't the only federal agency to sound the alarm on Hive.

Back in September, the U.S. Federal Bureau of Investigation issued a flash warning about the gang – shortly after the group attacked healthcare organizations in Missouri and Ohio.  

There are of course other bad actors out there. HC3 also issued an alert this month about Lapsus$, described as "effective, but also unprofessional and careless."  

"The geographic diversity of this group will make them especially difficult to permanently quash," HC3 said about the group.  

ON THE RECORD  

"When defending against Hive or any other ransomware variant, there are standard practices that should be followed," said HC3. "Prevention is always the optimal approach."

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.