Hive ransomware is one of the new ransomware families in 2021 that poses significant challenges to enterprises worldwide.
While some ransomware groups operating as ransomware-as-a-service (RaaS) networks claim to steer clear of targeting specific sectors such as hospitals or other critical industries to avoid causing harm to people, Hive’s attacks against healthcare providers in 2021 showed that the operators behind it have no regard for such humanitarian considerations. A hospital in Missouri suffered a Hive ransomware attack three weeks after the same group hit the integrated systems of a healthcare provider that affected three hospitals and many outpatient clinics in two other US states. Hive ransomware has become one of the most active ransomware families since its discovery in June 2021. To defend against this threat, it is therefore crucial for companies to be acquainted with the various mechanisms that the infamous ransomware gang uses.
What do organizations need to know about Hive?
On August 15, 2021, Hive’s ransomware attacks against a non-profit integrated health system severely disrupted the clinical and financial operations of three hospitals in Ohio and West Virginia. The attack resulted in emergency room diversions and cancelation of urgent surgical cases and radiology examinations. The encryption of files forced the hospital staff to use paper charts. Aside from the three hospitals, the affected non-profit also runs several outpatient service sites and clinics with a combined workforce of 3,000 employees.
Hive operators used double extortion techniques in this attack. Aside from the encryption of data, they also stole patient information that they threatened to publish on HiveLeaks, their dedicated leak site. The gang shares the list of victims that have not paid the ransom on their Tor site.
The incident prompted the FBI to issue an alert in late August that detailed Hive ransomware’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). According to the alert, Hive operators use phishing emails with malicious attachments to gain initial access to the system and Remote Desktop Protocol (RDP) to move laterally once on the network.
The motivation of those in the cyber-underground to expand their foothold inevitably leads to the incursion of uncharted paths. In late October 2021, threat researchers discovered that Hive has new malware tools specifically developed to encrypt Linux and FreeBSD systems. The report notes that Hive is among other ransomware operators that have set their sights on Linux servers. Other notorious ransomware groups have also been known to create their own Linux encryptors.
As enterprises slowly migrate to virtual machines to achieve better device management and optimize the use of resources, targeting virtual machines also makes good business sense for RaaS operators because it enables them to encrypt multiple servers simultaneously with just one command. Researchers pointed out that Hive’s bespoke tool for Linux is not fully functional yet as it still cannot completely encrypt all files when the malware was deployed in an explicit path. However, one can expect Hive to keep refining their Linux encryptors to diversify and fortify its malware tool kit.
In January 2022, one of Europe’s largest car dealers suffered a Hive ransomware attack. The Swiss company’s name appeared as one of the victims on HiveLeaks in February. Targeting high-value enterprises has become a trend for ransomware operators as can be gleaned from the profile of the victim that reportedly generated US$3.29 billion in revenues for 2020.
Overview of Hive’s operations
Hive operations are more prolific than their leak site might suggest. HiveLeaks only publishes the list of victims that have not settled the ransom, so it is tough to determine which — or how many — companies decided to pay the ransom. A report indicates that attack attempts by Hive affiliates hit an average of three companies per day since the group was first discovered in June 2021. The report also mentioned that security researchers who got access to information directly from the administrator panel of the Hive Tor site discovered that the number of enterprises whose systems had been compromised have reached 355 from September to December 2021.
Recommendations
Despite being relatively new, Hive ransomware has already made its mark as one of the most prolific and aggressive ransomware families today. Our detections of their malicious activities show that their operations are robust, thus providing an incentive for new affiliates to join them. Hive operators are also known to constantly refine and diversify their TTPs, so it is important for companies to stay vigilant and be well-informed of potential threats. An organization stands a better chance of addressing ransomware threats if they implement strong defenses early on.
To protect systems against similar threats, organizations can establish security frameworks that allocate resources systematically for establishing a strong defense strategy against ransomware.
From trendmicro
Infection chain and techniques
|
| Infection chain of Hive ransomware. credit image: trendmicro |
