A joint report from the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency released Thursday revealed that the Hive ransomware gang extorted more than 1,300 businesses for over $100 million in payments since June 2021.
In addition to ransoming businesses for money using ransomware, a type of malware that takes control of victims’ computer networks, the gang also downloads additional malware onto their systems if they refuse to pay up.
“Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks,” the FBI reported. “From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors.”
Hive targeted a wide range of victims including government facilities, communications, critical manufacturing, information technology, and especially focus on healthcare and public health.
Hospitals are a common target for ransomware because gangs believe they will be more likely to give in to demands because the critical needs of patients put them at greater immediate risk. Examples of other ransomware attacks against hospitals include the Memorial Health System — a known Hive target — Scripps Health and United Health Services. In all of these cases, systems were knocked offline, forcing staff to use paper charts.
In most cases, the ransomware gang gains access to the networks through a variety of intrusion methods including breaching the remote desktop protocol, virtual private networking, or other flaws in remote networking protocols. In other cases, the attackers breached networks by sending phishing emails to staff, in which they distribute malicious attachments that open on victims’ computers and permit them to access internal networks.
Upon breaching the network, the ransomware locks down the network and encrypts storage on the site, making it impossible to use or access computers. This is where the “ransom” portion of the attack happens, since the victim cannot quickly regain access to their system without the decryption key and the attackers hold access to that.
“Ransomware and data extortion continue to impose massive costs on businesses, and threat actors’ tactics continue to evolve to evade defenses and inflict as much damage as possible,” Daniel Mayer, a threat researcher at Stairwell, told SiliconANGLE. “To ensure payment, we have recently observed actors dabbling in data destruction in lieu of encryption.”
Data destruction is one potential outcome if victims refuse to pay where instead of just leaving the encrypted storage behind, the ransomware software instead completely corrupts the files instead. According to research from Stairwell, this is a new innovation for threat actors.
Aside from seeding more malware onto victim networks, Hive also threatens to leak sensitive data — for example, customer information, patient healthcare records and the like — if victims do not pay the ransom. Hive has been known to use a dark web site “HiveLeaks” containing extortion data and anonymous file-sharing sites to disclose the information.
Mayer said that as a result, organizations must stay ahead of the curve by focusing on preventing ransomware attacks by detecting and preventing threats before they get to the point of extortion.
“This advisory further serves as a crucial reminder of the severe economic losses at risk when ransomware gangs have targeted organizations,” noted Terry Olaes, senior technical director at enterprise cybersecurity firm Skybox Security Inc. “Ensuring proper solutions are in place that are capable of quantifying the business impact of cyber risks into economic impact is essential to protecting organizations.”
On the subject of paying ransoms, the FBI and CISA stated that they do not encourage paying. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the report stated. “Paying the ransom also does not guarantee that a victim’s files will be recovered.”