Authorities from the FBI are warning about a new ransomware group, tracked as Hive, which was behind the recent attacks on multiple health care systems. The Hive ransomware gang took down IT systems at Memorial Health System, disrupting health care services and risking the lives of several patients. First observed in June 2021, Hive ransomware operates as an affiliate-based ransomware service.
In an official statement, the FBI stated that the Hive gang uses multiple tactics, techniques, and procedures (TTPs) to compromise targeted networks. The group is known to leverage various phishing lures with malicious attachments to access critical systems and use Remote Desktop Protocol (RDP) to move laterally on the network.
Hive Ransomware Attack Procedure
After encrypting critical files, the Hive ransomware deploys two malicious scripts – hive.bat and shadow.bat – to perform cleanup after the encryption process. The threat actors then threaten their victims to leak the data on their dark website HiveLeaks. “After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software,” the FBI stated in a statement.
Hive Ransom Note
Your network has been breached, and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data or prevent exfiltrated files from being disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software.
The attackers also provided specific guidelines on how to obtain the decryption key.
Say No to Ransom: FBI
Paying ransom may encourage threat actors to continue their extortion activities. It also does not guarantee the recovery of encrypted files. While the FBI does not encourage paying ransom to cybercriminals, it urged the victims to report any ransomware attacks as they happen.
“FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Whether you or your organization decide to pay the ransom, the FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks,” the FBI added.
FBI also recommended specific security measures to prevent potential cyberthreats. These include:
- Back-up critical data offline.
- Ensure copies of critical data are in the cloud or on an external hard drive or storage device.
- Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides.
- Use two-factor authentication with strong passwords, including for remote access services.
- Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable.
- Keep computers, devices, and applications patched and up-to-date.
- Install and regularly update anti-virus or anti-malware software on all hosts.
The FBI asked organizations to report any suspicious activity on their network systems to their local FBI field office at www.fbi.gov/contact-us/field-offices.