Hive Ransomware, first observed in June 2021, likely operates as an affiliate-based ransomware, the FBI reports. The group uses different mechanisms, including sending phishing emails with malicious attachments to gain access to business networks and then Remote Desktop Protocol (RDP) to move laterally once on the network. “After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network,” the FBI said. “The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software,” it added. “The ransom note also threatens to leak exfiltrated victim data on the Tor site, ‘HiveLeaks.’”
Hive Ransomware Attack on Memorial Health System
An alleged Hive Ransomware attack last week, August 15, encrypted computers of the non-profit Memorial Health System, resulting in canceled surgical operations and stolen patient data. The organization’s president and CEO has since admitted to paying the ransom in order to regain access to their servers. “In the last 24 hours, we have made progress,” said Memorial Health System President and CEO Scott Cantley in a press conference held on August 19. “We have completed an agreement and received the keys to unlock our servers and begin to process recovery,” he added. Cantley said negotiations were made with the help of the FBI and the organization’s insurance carrier. Memorial Health System is a network of hospitals, with members Marietta Memorial Hospital, Selby General Hospital, and Sistersville General Hospital based in Ohio and West Virginia. The organization’s press release on August 18 claimed that “no known patient or employee personal or financial information has been compromised.” However, Bleeping Computer reports having seen evidence that hackers stole databases containing information belonging to 200,000 patients. This information includes social security numbers, names, and dates of birth.
Ransomware Attacks a Concern for Healthcare Organizations
The American Hospital Association (AHA) raised concerns against ransomware attacks, urging healthcare organizations against paying ransom to hackers. “This new strain of ransomware may be of particular concern for health care and utilizes the ‘double extortion’ method — demand for ransom payment for decryption key to access on-site encrypted data along with ransom payment demand to prevent public release of stolen patient information,” said John Riggi, AHA senior advisor for cybersecurity and risk. “The FBI and AHA strongly discourage payment of ransom if at all possible,” he added. “Regardless of whether you or your organization decide to pay the ransom, the FBI urges you to report ransomware incidents to your local field office.” “Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.” For more information about ransomware and how to stay safe against it, see our resource here.