The U.S. Department of Health and Human Services (HHS) has sent out an alert to warn healthcare entities about aggressive attacks by Hive ransomware. The department has made a note of the modus operandi and other malicious activities of the group to help organizations in the Healthcare and Public Health (HPH) sector to take appropriate security measures in defending their infrastructures from such attacks.

About the modus operandi

  • The HHS claimed the Hive ransomware group to be the fourth most active ransomware group in the cybercriminal ecosystem.
  • Its operations include conducting double extortion against organizations and leaking the stolen data on the dark web.
  • The threat actors operate via the Ransomware-as-a-Service (RaaS) model that enables them to focus on the development and operations of ransomware while the affiliates use it to launch attacks.
  • The initial stage of the infection chain is achieved through phishing or endpoints (RDP and VPN) that are exposed to the internet.
  • Once executed, the ransomware searches systems for applications and processes with backup data and terminates or disrupts them. This includes deleting shadow copies and system snapshots.

Hive undergoes major changes

  • The HHS also highlighted the recent major changes observed in the Hive ransomware as threat actors tried to replicate the practices and features of the BlackCat ransomware.
  • This included the removal of Tor negotiation URLs from the encryptor to prevent security researchers from extracting the ransom note and listening to negotiations.
  • The operators also extended their targets to Linux and FreeBSD systems by further developing encryption algorithms.
  • A new obfuscation technique called IPfuscation was also adopted by the attackers to evade detection during the infection process.

Final words 

Security experts explain that much of the operations implemented by the Hive ransomware group are standard practices followed by other ransomware operators. However, they also have a unique set of capabilities that makes them especially noteworthy. Therefore, organizations must have the right security measures in place to thwart such attacks. This includes securing endpoints, using two-factor authentication with strong passwords, and having an efficient data backup plan.
Cyware Publisher