Feds Warns the HPH Sector Concerning Aggressive Hive Ransomware Group

The Hive ransomware-as-a-service (RaaS) operation initially appeared in June 2021 and has strongly attacked the health and public health sector (HPH) and do so until now. Between June 2021 and November 2022, the group executed attacks on over 1,300 institutions around the world, generating ransom payments of over $100 million.

Some of the affected organizations in the HPH sector are the public health system in Costa Rica, Lake Charles Memorial Health System, Memorial Health System, Partnership HealthPlan of California, Missouri Delta Medical Center, Hendry Regional Medical Center, and Southwell. The most recent attack this month, Lake Charles Memorial Health System, is still recovering. The attacks endanger patient safety and have compelled hospitals to reroute ambulances, postpone surgeries, delay consultations, and close urgent care facilities.

Last November 17, 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the Federal Bureau of Investigation (FBI) published a joint advisory to the HPH sector telling about the danger of attacks and shared Indicators of Compromise (IoCs) and information on the tactics, techniques, and procedures (TTPs) utilized by the group, together with suggested mitigations for preventing, identifying, and mitigating attacks.

Hive has advanced capabilities, uses double extortion tactics, and publicly posts stolen information on its leak website when victims do not give ransom payment. The group is known to attack victims again if they attempted to bounce back without giving ransom payment. As a RaaS operation, the group recruits affiliates to carry out attacks for the group in exchange for a portion of the ransom payments they make. Affiliates are known to have the skills needed for getting access to victims’ systems.

The most popular methods utilized for preliminary access are taking advantage of Remote Desktop Protocol (RDP) vulnerabilities and other remote network connection systems, exploiting Virtual Private Networks (VPNs), performing phishing attacks using malicious attachments, and taking advantage of unpatched vulnerabilities, such as the Microsoft Exchange Server vulnerabilities CVE-2021-31207, CVE-2021-34523, CVE-2021-34473 and CVE-2020-12812 vulnerability to gain access to FortiOS servers.

As soon as access to systems has been acquired, the group determines operations associated with backups, antivirus/anti-spyware, and file extraction, and stops those procedures. Volume shadow copy services are halted and all current shadow copies are erased, and Windows event records are removed, especially the System, Security, and Application records. Before encryption, virus definitions are deleted and all parts of Windows Defender and other usual antivirus applications are deactivated in the system registry, and sensitive information is exfiltrated making use of Rclone and Mega.nz, the cloud storage service. The group runs live chat support to interact with victims and has likewise been recognized to get in touch with victims by telephone and email to talk about payment. Ransom demands could be sizeable, which range from thousands to millions of dollars.

Healthcare providers are advised to see the shared security advisory, keep track of their systems utilizing the given IoCs, solidify defenses versus the determined TTPs, and apply the suggested mitigations.