A joint security alert has been issued to the healthcare and public health sector (HPH) warning about Hive ransomware attacks. The Hive ransomware gang has been aggressively targeting the HPH sector since at least June 2021. According to the alert, the group has generated more than $100 million in ransom payments and has attacked more than 1,300 companies. Several industry sectors have been targeted by the gang, including Government Facilities, Communications, Critical Manufacturing, Information Technology, although the gang appears to favor the HPH sector.
The alert, issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), shares Indicators of Compromise (IoCs) and the tactics, techniques, and procedures (TTPs) observed so far in the group’s attacks to help network defenders prevent and detect attacks, along with several recommended mitigations that can reduce the severity of a successful attack.
Hive operates under the ransomware-as-a-service (RaaS) model, and as such has multiple affiliates conducting attacks, with the method of initial intrusion depending on which affiliate is behind the attack. Initial access is commonly gained through phishing emails, single-factor logins via Remote Desktop Protocol (RDP), Virtual Private Networks (VPNs), and other remote connection protocols. Some affiliates have exploited unpatched vulnerabilities in Microsoft Exchange Server such as CVE-2021-31207, CVE-2021-34473, CVE-2021-34523 and the FortiOS vulnerability CVE-2020-12812.
Once initial access has been achieved, processes related to backups are terminated along with file copying and antivirus processes to allow encryption to proceed undetected. Volume shadow copies are deleted to prevent recovery without paying the ransom, and Windows event logs are deleted, in particular System, Security, and Application logs.
The group engages in double extortion tactics and will exfiltrate files using Rclone before encrypting files. Ransom demands are then issued along with threats to sell or publish the data if the ransom is not paid. Failure to pay the ransom has seen data leaked on the group’s data leak site, and other ransomware payloads have been delivered to victims’ systems when they refused to pay the ransom.
The FBI, CISA, and HHS recommend not paying the ransom as there is no guarantee that files can be recovered and paying ransoms emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and funds further illicit activities. Regardless of whether the ransom is paid, the FBI has requested victims share details of attacks with their local FBI field office.
The IoCs, TTPs, and recommended mitigations can be found here.