HHS, FBI, CISA Warn Healthcare of Ongoing Hive Ransomware Threats

November 18, 2022 - HHS, the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory about Hive ransomware actors. The ransomware actors have been repeatedly targeting critical infrastructure, especially the healthcare sector since they were first observed in June 2021.

As of November 2022, Hive ransomware actors have victimized more than 1,300 companies globally and gained $100 million in ransom payments. The group has claimed multiple healthcare victims, including an attack on Memorial Health System in August 2021 that resulted in appointment cancellations, clinical disruptions, and EHR downtime.

“The method of initial intrusion will depend on which affiliate targets the network,” the latest advisory noted.

“Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols,” the latest advisory noted.”

In other cases, Hive actors have bypassed multifactor authentication (MFA), exploited vulnerabilities such as CVE-2020-12812, and distributed phishing emails with malicious attachments. These threat actors have also exploited vulnerabilities against Microsoft Exchange servers.

The advisory contains detailed indicators of compromise (IOCs) and attack techniques used by Hive actors to gain access and victimize networks.

In addition to learning about Hive IOCs, the FBI, CISA, and HHS recommended that all organizations (especially those in the healthcare sector) implement a variety of mitigations to reduce risk.

Healthcare organizations should secure and monitor RDP, install updates for software, firmware, and operating systems as soon as they are released, and maintain offline data backups. In addition, organizations were encouraged to enable PowerShell Logging and install and regularly update antivirus software.

The federal bodies also urged organizations to prepare for the event of a ransomware attack by reviewing the security postures of third-party vendors, implementing a recovery plan, and documenting external remote connections.

In the event of a Hive ransomware attack, organizations should isolate infected systems, secure backups, and turn off other computers and devices to manage the attack. Paying the ransom is also highly discouraged, as it may incentivize threat actors to continue victimizing organizations.

“This is another example of foreign-based, primarily Russian-speaking, hackers attacking U.S. health care, John Riggi, the American Hospital Association’s (AHA) national advisor for cybersecurity and risk, said in a subsequent announcement.

“Without sustained offensive cyber operations by the U.S. government against these cyber gangs, defensive measures by the health care sector will have a limited effect in mitigating the public health and safety threat posed by their ongoing ransomware attacks.”