HHS Warns About Hive Ransomware Attacks on Healthcare Sector

About the modus operandi

• The HHS claimed the Hive ransomware group to be the fourth most active ransomware group in the cybercriminal ecosystem.
• Its operations include conducting double extortion against organizations and leaking the stolen data on the dark web.
• The threat actors operate via the Ransomware-as-a-Service (RaaS) model that enables them to focus on the development and operations of ransomware while the affiliates use it to launch attacks.
• The initial stage of the infection chain is achieved through phishing or endpoints (RDP and VPN) that are exposed to the internet.
• Once executed, the ransomware searches systems for applications and processes with backup data and terminates or disrupts them. This includes deleting shadow copies and system snapshots.

Hive undergoes major changes

• The HHS also highlighted the recent major changes observed in the Hive ransomware as threat actors tried to replicate the practices and features of the BlackCat ransomware.
• This included the removal of Tor negotiation URLs from the encryptor to prevent security researchers from extracting the ransom note and listening to negotiations.
• The operators also extended their targets to Linux and FreeBSD systems by further developing encryption algorithms.
• A new obfuscation technique called IPfuscation was also adopted by the attackers to evade detection during the infection process.

Final words