As cyberattacks on health systems are now regrettably commonplace, the FBI has released an alert about the malicious Hive ransomware, the same group that took down Memorial Health System on Aug. 15.
The alert says that “Hive ransomware, which was first observed in June 2021 and likely operates as an affiliate-based ransomware, employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.”
Further, “After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks.”
An article from ZDNet by Jonathan Greig says that “Most victims face a payment deadline ranging between two and six days, but others were able to extend their deadlines through negotiation.”
Greig writes that “John Riggi, American Hospital Association senior advisor for cybersecurity, said the new Hive ransomware is particularly concerned for healthcare organizations. Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15. The non-profit runs a number of hospitals, clinics, and healthcare sites across Ohio and West Virginia.”
Memorial Health System president and CEO Scott Cantley said in a statement that staff at three hospitals—Marietta Memorial, Selby, and Sistersville General Hospital—were working with paper charts while their IT teams worked to restore their systems. Additionally, Cantley canceled all urgent surgical cases and all radiology exams for Aug. 16.
Greig reports that “In a statement three days later, Cantley said the hospital system ‘reached a negotiated solution and are beginning the process that will restore operations as quickly and as safely as possible.’"
Greig added that “He [Cantley] later admitted to The Marietta Times that the hospital paid a ransom to receive the decryption keys.”
The FBI recommends taking the following actions if your organization is impacted by a ransomware incident:
- Isolate the infected system
- Turn off other computers and devices
- Secure backups
