HHS Underscores Risk of Hive Ransomware

April 20, 2022 - HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note regarding Hive ransomware group, the notorious cybercrime group responsible for multiple attacks against the healthcare sector.

“Hive is an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently,” the note warned.

“HC3 recommends the Healthcare and Public Health (HPH) Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.”

Hive claimed responsibility for an August 2021 attack against Memorial Health System that impacted 215,000 individuals and resulted in data exfiltration. Hive was also tied to a September 2021 cyberattack at Missouri Delta Medical Center, and HC3 identified the group as one of the top US healthcare ransomware threats in Q3 2021.

In March 2022, Hive claimed responsibility for stealing 850,000 records containing personally identifiable information (PII) from Partnership HealthPlan of California.

In its latest analyst note, HC3 noted that Hive frequently conducts double extortion and operates via the ransomware as a service (RaaS) model, allowing them to obtain access to victim infrastructure along with their affiliates.

The group uses Golang, a language used to develop malware, and frequently leverages RDP and VPN compromise and phishing. The group is known to search victim systems for processes responsible for backing up data and subsequently disrupt them by deleting shadow copies and system snapshots.

Experts also observed Hive replicating the practices of Black Cat operators.

“Hive removed Tor negotiation URLs from their encryptor to prevent security researchers from extracting the ransom note and listening in on negotiations, something which is known to have happened to other ransomware operators in the past,” HC3 found.

Hive typically ends its encrypted files with a .hive, .key.hive, or .key extension.

“Much of Hive’s operations are standard practice amongst ransomware operators,” HC3 stated. “However, they also have a set of unique capabilities which make them especially noteworthy.”

As mentioned in the Federal Bureau of Investigation’s (FBI) August 2021 flash alert, Hive uses a variety of tactics, techniques, and procedures (TTPs), making mitigation and defense efforts difficult.

“When defending against Hive or any other ransomware variant, there are standard practices that should be followed. Prevention is always the optimal approach,” HC3 advised.

Organizations should leverage multifactor authentication (MFA), strong passwords, and data backups. Specifically, HC3 recommended that organizations adopt the 3-2-1 rule for data backups, meaning that organizations should back up data in three different locations, on two forms of media, and with one of them stored offline.

Continuous monitoring and a robust vulnerability management program are also crucial mitigation tactics, along with endpoint security measures. HC3 directed organizations toward a method for recovering the private key for decryption discovered by Cornell University researchers but noted that Hive has likely adapted its tactics to remain a significant and unpredictable threat to the US healthcare sector.