The Department of Health and Human Services' (HHS) Health Sector Cybersecurity Coordination Center (HC3) published an analyst note on April 18 warning healthcare and the public health sector of the Hive ransomware group.
The analyst note states that “Hive is an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently. HC3 recommends the Healthcare and Public Health (HPH) Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.”
The Hive ransomware group was first observed in June of 2021. In September of 2021 we reported that the FBI has released an alert about the malicious Hive ransomware, the same group that took down Memorial Health System on Aug. 15. In March of 2022 we reported that the Hive Ransomware group posted on its dark website that it had stolen 850,000 personally identified information (PII) records from the Partnership HealthPlan of California. The analyst note cites a report that in its first 100 days as a group, Hive breached 355 companies.
The analyst note says that Hive’s operations include double extortion; operating as a ransomware as a service model; leveraging Golang— a language used by cybercriminals to design malware; leveraging infection vectors like RDP and VPN compromise as well as phishing; encrypting files end with a .hive, .key.hive or .key extension; making phone calls to some victims to extort ransom; and searching victim systems for applications and processes that backup data and terminate or disrupt them.
The analyst note adds that “When defending against Hive or any other ransomware variant, there are standard practices that should be followed. Prevention is always the optimal approach.”
The prevention methods in the analyst note include:
- Using two-factor authentication with strong passwords
- Sufficiently backing up data
- Continuous monitoring
- Having an active vulnerability management program
- Having thorough endpoint security