Executive Summary
During 2021, HIVE ransomware was involved in several attacks against the healthcare sector. HIVE is offered as ransomware-as-a-service (RaaS), meaning that the ransomware is used by affiliates in attacks. Avertium published a Threat Intelligence Report naming the top five cyber threats in the healthcare sector and HIVE was in the top ten of global ransomware for the third quarter of that year.
HIVE has also been used in attacks against several critical infrastructure organizations within the government, IT, communications, and manufacturing industries. Despite law enforcement’s recent crackdown on cyber criminals, the operators behind HIVE ransomware have not slowed down.
In November 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released an advisory stating that HIVE ransomware attacks have continued, and operators have attacked over 1300 businesses and have extorted about $100 million since June 2021. Let’s revisit HIVE, the attackers’ tactics and techniques, and what organizations can do to remain safe from the threat actors that use it.
HIVE was initially observed in June 2021 and operates as an affiliate-based ransomware gang. During 2021, HIVE was used to attack Europe’s largest consumer electronics retailer, MediaMarkt. As a result of the attack, the company’s servers were encrypted, and their IT systems had to be shutdown.
Although MediaMarkt was able to function online, their brick-and-mortar stores were not able to accept credit cards or print receipts. The ransom demand was $240 million for decryption but was eventually reduced to $50 million in bitcoin. It is common for ransomware gangs to demand an absurd amount of money initially, only to decrease that demand to a lower yet still profitable amount.
During the same year, researchers found that HIVE was used to attack critical infrastructure, specifically healthcare. Ransomware operators attacked Memorial Health System, forcing the staff to work from paper charts. HIVE operators were also responsible for an attack on the third largest medical facility in Saxony-Anhalt. At the time, an insider confirmed that HIVE affiliates estimated the organization’s revenue to be $272 million. The attackers knew that a healthcare facility would likely pay their demanded ransom because any information stolen is highly sensitive and confidential. Information within the healthcare sector is the most valuable information for cyber criminals and a single piece of data can go for hundreds of dollars on the black market.
In September 2022, HIVE ransomware operators claimed the attack on the New York Racing Association (NYRA). The attack impacted IT operations and compromised member data. NYRA operates three of the largest thoroughbred horse racing tracks in New York – the Saratoga Racecourse, the Aqueduct Racetrack, and the Belmont Park race track.
The security breach included the exfiltration of sensitive member information, such as: Social security numbers, healthcare records, health insurance information, and driver’s license identification numbers. After the attack, the threat actors placed NYRA on HIVE’s extortion site and published a link to download a ZIP archive of the files they stole from NYRA’s systems. Due to the organization’s data being leaked, one can only assume that ransom negotiations didn’t go as planned.
Also, during September 2022, HIVE threat actors claimed responsibility for the attack on Bell Canada, a subsidiary of Bell Technical Solutions (BTS). BTS has more than 4,500 employees and specializes in Bell services for residential and small businesses across Ontario and Quebec. After the attack, a new entry for BTS was added to the HIVE extortion site where the attackers claimed to have encrypted BTS’ systems back in August 2022. During that time, the BTS website was inaccessible, and the company published a cyber security alert stating that some employee and operational company information was accessed (addresses, phone numbers, and names of residential and small business customers).
In October 2022, HIVE operators took responsibility for a cyber attack on Tata Power - a subsidiary of the multinational conglomerate Tata Group. The company is India’s largest integrated power company and is based in Mumbai. After ransom negotiations failed, the attackers posted stolen Tata Power data on their extortion site.
The stolen data contained personal identifiable information, Nation ID card numbers, tax account numbers, and salary information. The threat actors even went as far as stealing and leaking engineering drawings, financial and banking records, and sensitive client information.
In 2021, the FBI warned healthcare organizations that HIVE threat actors appeared to be targeting healthcare organizations. Unfortunately, that interest has not changed as they recently attacked the Lake Charles Memorial Health System (LCMH) in November 2022.
The ransomware attack included HIVE operators leaking patients’ protected health information and employee personnel files. The threat actors had access to LCMH’s network for 12 days and stole 270 GB of files. The attackers informed the healthcare organization that although they exfiltrated data, they did not encrypt any of the data on the LCMH network. The threat actors demanded $900,000 in ransom and reached out to LCMH to negotiate the payment, but their efforts were unsuccessful.
After no response, the operators reached out for the second time and told the organization that if they paid the ransom, their data would be deleted, and the threat actors would help the organization better understand the system vulnerabilities that led to the breach. A representative from LCMH responded and stated that the organization would review the offer, but the HIVE threat actors never heard back from them. Due to the lack of response, the attackers posted some of LCMH’s exfiltrated data on their extortion site (patient and employee data).
Initially observed in June 2021, HIVE encrypts files and deletes backup and file copying processes to carry out attacks. Over the years, researchers have noticed that most ransomware gangs focus on one platform, such as Windows, to launch their attacks. The operators behind HIVE do the opposite and use several platforms (Windows, Linux, and ESXi hypervisors) depending on the affiliate disseminating the ransomware. According to Adam Meyers, Vice President of CrowdStrike, HIVE’s operators created the ability to run their ransomware against ESXi.
As initial access points, HIVE’s operators have been known to use remote desktop protocol (RDP), virtual private networks (VPNs,) and other remote connection protocols not secured with MFA. HIVE attacks have also included bypassing MFA and exploiting CVE-202-12812 to access FortiOS servers. Affiliates have been seen targeting well-known Microsoft Exchange Server vulnerabilities such as CVE-2021-34523, CVE-2021-31207, and CVE-2021-34473. Operators have also been seen sending phishing emails with malicious attachments.
In 2021, ESET Research Labs identified Linux and FreeBSD variants of HIVE ransomware. The Linux and FreeBSD variants were written in Golang, however at the time, the malware still had some bugs in it and had yet to be exploited. They appeared to be shifting platforms by targeting public facing systems such as Linux – a system that is commonly used for web-servers. HIVE has evolved and as previously stated, the ransomware includes operating systems such as MacOS and VMware ESXi. As more organizations are securing their data centers to the cloud, attackers are taking full advantage.
“Cloud applications that are now running on non-Windows operating systems such as Linux, are also under attack from these cyber criminals. For many years, Linux was thought to be a safe haven from common malware and ransomware attacks due to a smaller percentage of organizations utilizing it. However, that has finally changed with cyber criminals expanding their attacks into new operating systems spaces." – Chuck Everette – Director of Cyber Security Advocacy at Deep Instinct
CISA states that after gaining access, the ransomware makes attempts to evade detection by executing processes to:
HIVE’s ransomware notes are interesting, allowing victims to contact the operators through a “sales department” link that directs them to a live chat – almost like customer service. HIVE also uses Golang, a modern programming language that threat actors have been utilizing lately. Once in a system, HIVE operators use their tools to move laterally within that system and escalate privileges to steal and encrypt files.
Image 1: HIVE Ransomware Note
Source: AdvIntel
To help keep you organization safe from ransomware like HIVE, there are ransomware best practices you can implement. A ransomware incident can severely impact an organization’s day to day business, as well as leave them without the data they need to deliver critical services. Due to HIVE’s operators deleting backups, it can be difficult for organizations to restore stolen data. It can also be infeasible, causing economic and reputational devastation for most.
Fortunately, CISA and the FBI have some best practices that you can put into place before you become a victim of HIVE ransomware:
Keep in mind that relying on outdated tools and point solutions will compromise your network or system. Better technology exists to detect complex attacks.
Because the cyber landscape is always changing, it is imperative to be aware of new cyber attack strategies and techniques. Avertium is here to keep you informed and to keep your organization safe. We recommend the following services for the best protection against ransomware attacks:
Recommendations from Avertium, the FBI, and CISA if your organization is impacted by HIVE ransomware:
In addition, the FBI, CISA, and HHS urge all organizations to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents:
IP Addresses
Logged Processes
Files
Hive ransomware claims attack on New York Racing Association (bleepingcomputer.com)
#StopRansomware: Hive Ransomware | CISA - AlienVault - Open Threat Exchange
Hive claims ransomware attack on Tata Power, begins leaking data (bleepingcomputer.com)
FBI: Hive ransomware extorted $100M from over 1,300 victims (bleepingcomputer.com)
HIVE Ransomware: Everything You Need To Know (Attacks & Analysis) (avertium.com)
Hive Ransomware Gang Hits 1,300 Businesses, Makes $100 Million | SecurityWeek.Com
#StopRansomware: Hive Ransomware | CISA
Lake Charles Memorial Health system victim of cyberattack and data leak by Hive (databreaches.net)
NY: Empress EMS hit by Hive ransomware (databreaches.net)
Hive Ransomware Hackers Begin Leaking Data Stolen from Tata Power Energy Company (thehackernews.com)
Hive ransomware claims cyberattack on Bell Canada subsidiary (bleepingcomputer.com)
HiveV5_file_decryptor/README.md at main · reecdeep/HiveV5_file_decryptor · GitHub
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.