Hive ransomware group ‘exceptionally aggressive,’ HHS says in warning to health sector

Healthcare entities should ensure they’ve applied adequate cybersecurity principles and mitigation strategies to defend against the “exceptionally aggressive” Hive ransomware group, given its frequent targeting of the sector, warns an alert from the Department of Health and Human Services Cybersecurity Program.

Hive “follows many of the typical practices, including infection vectors, ransom note, data exfiltration and double extortion and maintaining a name-and-shame dark website,” according to the alert. “They also have a set of unique capabilities that make them especially noteworthy.”

The financially motivated group first emerged in June 2021 amid a period of rebranding for a number of ransomware groups aiming to evade law enforcement and takedown efforts. But in its short active period, Hive has wreaked havoc on the sector, claiming at least three healthcare victims in its first active quarter.

The cyberattack on Memorial Health System in August was one of the first healthcare victims claimed by Hive, which drove the Ohio provider into emergency care diversion and EHR downtime procedures. The group later posted healthcare data belonging to 200,000 MHS patients, allegedly stolen ahead of the attack.

The most recent incident tied to Hive was an attack and subsequent two-week network outage at Partnership HealthPlan of California.

In total, data shows Hive claimed attacks on approximately 355 companies within 100 days of operations.

HHS says to bolster preventative measures to combat Hive

The new HHS alert warns the group leverages many common ransomware tactics, including the exploit of remote desktop protocol or VPN, and phishing attacks, in addition to more aggressive methods like directly calling the victims to apply pressure and negotiate ransom payments.

Other effective tactics include searching victim’s systems tied to backups and either terminating or disrupting those connections, in addition to deleting shadow copies, backup files, and even system snapshots. Hive also conducts double extortion, data leaks, while operating as a ransomware-as-service model.

Hive uses the Golang language in their malware design and “ported their Linux VMware ESXi encryptor to Rust, making it more challenging for security researchers to analyze their operations.”

Given its tactics, HHS is urging provider organizations to bolster preventative security measures, such as two-factor authentication, strong passwords, sufficient backups of the most critical data, continuous monitoring, and “a constant input of threat data, open source and possibly proprietary as well.”

The threat analysis contains full details of Hive tactics, recommended strategies, and free ransomware resources. Healthcare entities should adopt an aggressive, proactive strategy to defend against Hive tactics, as well as other ransomware targeting given federal agencies are warning that Russia and other nation-state actors are expected to ramp up their targeting.