Share this article on:
The HHS’ Office of Information Security Health Sector Cybersecurity Coordination Center (HC3) has issued a TLP: White alert about the Hive ransomware group – A particularly aggressive cybercriminal operation that has extensively targeted the healthcare sector in the United States.
HC3 has shared an analysis of the tactics, techniques, and procedures (TTPs) known to be used by the group in their attacks and has shared cybersecurity principles and mitigations that can be adopted to improve resilience against Hive ransomware attacks.
The Hive ransomware group has been conducting attacks since at least June 2021. The group is known for using double extortion tactics, where sensitive data is exfiltrated prior to file encryption and threats are issued to publish the data if the ransom is not paid. The group is also known to contact victims by phone to pressure them into paying the ransom.
Hive is a ransomware-a-service (RaaS) operation where affiliates are recruited to conduct attacks on the gang’s behalf in exchange for a cut of the profits that are generated, which allows the core members of the group to concentrate on development and operations.
Having affiliates with different specialties means a variety of TTPs are employed to gain access to networks; however, the group most commonly uses phishing emails, Remote Desktop Protocol, and VPN compromise in their attacks. Once access to networks is gained, compromised systems are searched to identify applications and processes involved in backing up data, and then those processes and applications are terminated or disrupted. Shadow copies, backup files, and system snapshots are also deleted to make it harder for victims to recover without paying the ransom.
The ransomware is actively developed, and several features and practices have been adopted to prevent analysis of the ransomware, interception and monitoring of negotiations with victims, and the group has adopted a new IPv4 obfuscation technique – IPfuscation – to make their attacks stealthier.
Defending against Hive ransomware attacks requires standard cybersecurity best practices to be followed, including the following:
- Changing default passwords and setting strong passwords
- Implementing 2-factor authentication, especially for remote access services
- Providing regular security awareness training to the workforce
- Creating multiple copies of backups, testing those backups, and storing backups offline
- Ensuring there is continuous monitoring, supported by a constant input of threat data
- Implementing a comprehensive vulnerability management program and prioritizing known exploited vulnerabilities
- Ensuring software and operating systems are kept up to date
- Implementing comprehensive endpoint security solutions that are automatically updated with the latest signatures/updates.