An alert has been issued by the FBI regarding Hive ransomware after the gang crippled the networks of Memorial Health System. Hive is a relatively new ransomware that was first spotted in June this year.

Attack on Memorial Health System

  • Memorial Health System Emergency Departments faced disruption in IT operations, allowing admission to patients only suffering from strokes and trauma incidents.
  • In addition, due to the ransomware attack, the staff at three hospitals (Marietta Memorial, Selby, and Sistersville General Hospital) were forced to use paper while their systems were being restored.

About the alert 

According to the FBI, the ransomware group has been using phishing emails laden with malicious attachments for obtaining access to target networks.
  • Hive group has targeted at least 28 organizations, with most of its victims falling in the healthcare sector.
  • It damages systems and backups and then leads the victims to a link with a live chat with the individuals behind the attack.
  • Most victims face a ransom deadline of two to six days. This deadline of two to six days can be extended further by negotiating with the attackers.

According to the FBI, some victims have been called manually by the attackers to pressurize them into paying the ransom.

Modus operandi

Hive actors use RDP to move laterally inside the network.
  • After successfully penetrating the network, the attackers steal information and encrypt the targeted files. The encrypted files are renamed with the .hive extension.
  • Moreover, Hive ransomware searches for backup-related processes, anti-virus/spyware, and file copying, and terminates these processes for file encryption. 
  • They leave a ransom note in every infected directory, which provides details on how to obtain the decryption software.

Conclusion

The FBI’s warning about the Hive ransomware group recommends backing up critical data offline and in the cloud. It urges organizations to use 2FA and strong passwords, including for remote access services, wherever possible. Furthermore, a response plan in the event of ransomware attacks should be kept handy.

Cyware Publisher

Publisher

Cyware