FBI’s warning to businesses - HIVE ransomware

The FBI has released a warning to businesses and system administrators following a series of attacks which saw an emerging ransomware known as ‘Hive’ debilitate the Memorial Health System this week. 

The Warning 

Published as part of FBI Flash, a publication by the FBI’s Cyber Division, the warning states that whilst “Hive ransomware […] was first observed in June 2021”, it “employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation.” 

The warning goes on to outline how the ransomware utilises “multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol”.  

“After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks”. 

Previous Attacks 

Just under two weeks ago, the Hive ransomware gang claimed another victim since their emergence on the dark web and as cyberthreat in June 2021. A network of American healthcare organizations known as the Memorial Health System, comprised of hospitals and clinics from Ohio and West Virginia was targeted in the cyber-attack.  

The attack completely disabled their network, CEO Scott Cantely mentioning that the attack forced the staff to revert to using paper charts. Being a non-profit organization, with many workers being volunteers from local communities, this grinded many procedures to a halt, meaning those in need were left with their surgical procedures and examinations cancelled. 

In addition, the hackers are said to have extracted sensitive data belonging to around 200,00 patients, and be in the process of distributing this on their dark web site “HiveLeaks”, unless the ransoms are paid. 

FBI Recommendations 

As part of their warning, the FBI also outlined some “recommended mitigations” and advice for organizations being targeted by ransomware attacks.  

The first piece of advice is simple, “the FBI does not encourage paying a ransom to criminal actors”. The FBI argues this will only “embolden adversaries to target additional organizations” and “encourage other criminal actors to engage in the distribution of ransomware”.  

In addition, “paying the ransom also does not guarantee that a victim’s files will be recovered”, the article goes on to state. This advice is imperative when dealing with a situation such as the one faced by the victims of the Hive ransomware attacks. Considering the already duplicitous and illicit activities of the gang to infect a business with malware and hold them for ransom, it would be unusual for them to honor the terms of the ransom as part of a onetime transaction. 

Preventative Measures via FBI advice post 

• Back-up critical data offline.  
• Ensure copies of critical data are in the cloud or on an external hard drive or storage device.  
• Secure your back-ups and ensure data is not accessible for modification or deletion from the system where the data resides. 
• Use two-factor authentication with strong passwords, including for remote access services.  
• Monitor cyber threat reporting regarding the publication of compromised VPN login credentials and change passwords/settings if applicable.  
• Keep computers, devices, and applications patched and up-to-date. 
• Install and regularly update anti-virus or anti-malware software on all hosts 

Finally, the FBI encourages all those impacted by a similar incident to always report the attack to the authorities, and to seek help once all infected systems are isolated, tuned off and back ups secured.