FBI Flash Alert Warns Organizations of Hive Ransomware Group

The FBI released a flash alert warning organizations about Hive ransomware, a hacking group responsible for the recent cyberattack on Memorial Health System in mid-August that resulted in EHR downtime, emergency room diversions, and appointment cancellations.

Hive ransomware was first detected in June 2021 and uses a variety of tactics to infiltrate networks. Most commonly, the group uses phishing emails to gain access to networks and Remote Desktop Protocol (RDP) to navigate the network once inside.

“After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network,” the FBI alert explained.

“The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, ‘HiveLeaks.’”

Memorial Health System, which has locations in Ohio and West Virginia, was one of Hive’s most recent victims. On August 15, the health system announced that a third party had gained unauthorized access to its network that morning. The ransomware attack resulted in appointment cancellations, clinical disruptions, and significant EHR downtime.

Bleeping Computer later reported that Hive ransomware appeared to be behind the attack. Hive’s website, hosted on the dark web, contained published links to stolen data from nearly two dozen victims that refused to pay the ransom.

“Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a .hive extension,” the FBI warned.

Once the group has encrypted its victims’ files, the ransom note is dropped in the directory. If the files are renamed, deleted, or modified, they cannot be recovered. Some victims reported receiving a phone call demanding payment, and others report communicating with the hackers through a live chat.

Typically, Hive requests that the payment be delivered within two to six days, but the deadline is often extended once the victim contacts the hackers. The ransom note usually tells victims that the group will release data online if they fail to pay the ransom.

The FBI’s alert contained a list of common indicators to look out for that show whether a network may have been compromised. The indicators are often disguised as normal applications with legitimate business purposes but can be used by bad actors to exploit an organization’s network.

The agency strongly discouraged paying a ransom and noted that paying the ransom does not guarantee that files will be recovered. It is crucial to back up critical data offline, use two-factor authentication, and keep all computers and applications patched.

In response to the alert, the American Hospital Association (AHA) relayed the information to its members and urged cooperation with the FBI.

“This new strain of ransomware may be of particular concern for health care and utilizes the ‘double extortion’ method — demand for ransom payment for decryption key to access on-site encrypted data along with ransom payment demand to prevent public release of stolen patient information,” John Riggi, AHA senior advisor for cybersecurity and risk, said in a press release.

“The FBI and AHA strongly discourage payment of ransom if at all possible. Regardless of whether you or your organization decide to pay the ransom, the FBI urges you to report ransomware incidents to your local field office. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.”