FBI Alert: Hive Ransomware, A Particular Concern for Healthcare

Sept. 3, 2021
The FBI issued an alert about Hive ransomware that took down Memorial Health System in August, the ransomware gang is especially concerning for healthcare organizations

As cyberattacks on health systems are now regrettably commonplace, the FBI has released an alert about the malicious Hive ransomware, the same group that took down Memorial Health System on Aug. 15.

The alert says that “Hive ransomware, which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.”

Further, “After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks.”

An article from ZDNet by Jonathan Greig says that “Most victims face a payment deadline ranging between two and six days, but others were able to extend their deadlines through negotiation.”

Greig writes that “John Riggi, American Hospital Association senior advisor for cybersecurity, said the new Hive ransomware is particularly concerned for healthcare organizations. Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15. The non-profit runs a number of hospitals, clinics, and healthcare sites across Ohio and West Virginia.”

Memorial Health System president and CEO Scott Cantley said in a statement that staff at three hospitals—Marietta Memorial, Selby, and Sistersville General Hospital—were working with paper charts while their IT teams worked to restore their systems. Additionally, Cantley canceled all urgent surgical cases and all radiology exams for Aug. 16.

Greig reports that “In a statement three days later, Cantley said the hospital system ‘reached a negotiated solution and are beginning the process that will restore operations as quickly and as safely as possible.’"

Greig added that “He [Cantley] later admitted to The Marietta Times that the hospital paid a ransom to receive the decryption keys.”

The FBI recommends taking the following actions if your organization is impacted by a ransomware incident:

  • Isolate the infected system
  • Turn off other computers and devices
  • Secure backups

Sponsored Recommendations

Elevating Clinical Performance and Financial Outcomes with Virtual Care Management

Transform healthcare delivery with Virtual Care Management (VCM) solutions, enabling proactive, continuous patient engagement to close care gaps, improve outcomes, and boost operational...

Examining AI Adoption + ROI in Healthcare Payments

Maximize healthcare payments with AI - today + tomorrow

Addressing Revenue Leakage in Hospitals

Learn how ReadySet Surgical helps hospitals stop the loss of earned money because of billing inefficiencies, processing and coding of surgical instruments. And helps reduce surgical...

Care Access Made Easy: A Guide to Digital Self Service

Embracing digital transformation in healthcare is crucial, and there is no one-size-fits-all strategy. Consider adopting a crawl, walk, run approach to digital projects, enabling...