Updated on 2022-11-18
An alert published by the CISA, the FBI, and the HHS states that the Hive ransomware group extorted over $100 million in ransom payments from 1,300 organizations, from June 2021 to November 2022. Read more: Alert (AA22-321A) #StopRansomware: Hive Ransomware
CISA, the FBI, and the HHS have issued a joint report on the Hive ransomware. Read more: Alert (AA22-321A) #StopRansomware: Hive Ransomware
“As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information.”
Updated on 2022-11-17: Hive Ransomware Alert
The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services have jointly released an alert warning of an uptick in the spread of Hive ransomware. The threat actors have targeted multiple business and critical infrastructure sectors, with a focus on healthcare and public health. As of this month, Hive ransomware threat actors have received nearly $100 million in payments. The alert includes technical details as well as indicators of compromise (IoCs) and recommended mitigations.
- These threat actors are penetrating networks by taking advantage of single factor authentication, RDP and VPN, or bypassing MFA like CVE-2020-12812 in FortiOS servers, as well as exploiting Exchange vulnerabilities. We’ve talked about this before, (yes, I’m telling you this is preventable,) don’t expose RDP to the Internet, use strong MFA on anything Internet facing, and keep those updates flowing. Not to ignore your internal systems, you need to do this internally, as the old castle & moat model is not sufficient with today’s threat landscape. Leverage what you learned hardening your external services, you know what to do from here.
- As ransomware attacks get faster, IoCs become irrelevant; the ransomware will announce the compromise. Unless there are mitigations that are specific to the ransomware, prevention is more efficient than mitigation. Strong authentication, structured network, and least privilege access control will resist ransomware of all stripes and also resist other kinds of attacks.
Read more in
- Alert (AA22-321A) #StopRansomware: Hive Ransomware
- FBI: Hive ransomware extorted $100M from over 1,300 victims
- Feds warn of ongoing Hive ransomware threat, ‘especially healthcare’
Updated on 2022-10-25: Tata Power Data Breach
Hive ransomware claimed responsibility for the cyberattack on Tata Power and started leaking data—PII, National ID numbers, financial records, and others—allegedly stolen from the Indian power company. Read more: Hive claims ransomware attack on Tata Power, begins leaking data
Tata Power, one of the largest electrical power producers in India, disclosed a security breach in a document [PDF] filed with India’s national stock exchange. The company said the incident only impacted its IT systems—which is currently in the process of restoring—and that all other critical systems are operating as normal. Read more: Tata Power, a top power producer in India, confirms cyberattack
Updated on 2022-10-21: Canada Parliament hack
Canadian Parliament members have been asked to change their email passwords following what officials have described as a “cyber incident.” We understand this is a ransomware attack, although government officials have not yet confirmed the incident as such. Read more: MPs warned to change email passwords after cyber attack on Canadian government
Updated on 2022-10-19
Members of Parliament were urged to change their passwords for internet-based services after the Canadian government suffered a cyberattack. Read more: MPs warned to change email passwords after cyber attack on Canadian government
Updated on September 2022
Police Investigating Ransomware Attack Against Bell Canada Subsidiary
Authorities in Canada are investigating a ransomware attack that hit the network of Bell Technical Solutions, a Bell Canada subsidiary. The attack resulted in data theft. The affected servers contained “operational company and employee information.”
- The Hive Ransomware gang is taking credit for the attack. Bell Technical Solutions installs Bell services such as telephones, WiFi and cable for customers in Ontario and Quebec. Data accessed appears to also contain booked appointment information (name, address phone number.) Bell Technical Solutions will be notifying affected customers. If you’re a Bell Technical Solutions customer, be wary for unsolicited communications, attempting to get more information from you based on what was in the appointment system.
Read more in
- Bell Technical Solutions cybersecurity alert
- Canadian police investigating ransomware attack on Bell subsidiary after employee data stolen
NYRA breached by Hive operators
Hive ransomware gang claimed responsibility for an attack on the New York Racing Association (NYRA) on June 30. The threat actor stole SSNs, health records, and driver’s license numbers.
Hive ransomware group claimed responsibility for the New York Racing Association (NYRA) cyberattack. On their extortion website, the organization listed NYRA as a victim and published a ZIP download containing all of the files stolen from their computers. Hive was able to steal members’ personal information, including health records, health insurance information, driver’s license identification numbers, and SSNs.
Read more in
- Hive ransomware claims attack on New York Racing Association
- HIVE Ransomware Claims Responsibility for NYRA Attack
Updated on July 2022
Hive v5 decrypter
A security researcher named reecDeep has released a free tool that can help victims that had their files locked by version 5 of the Hive ransomware recover their files. Previously, South Korea’s cyber-security agency KISA released decrypters for the first four versions.
— reecDeep (@reecdeep) July 12, 2022
Microsoft has published a technical analysis of the Hive gang’s new Rust-based ransomware strain, which the group has been using in attacks since March this year.
Updated on June 2022: Costa Rica Woes Continue
The Costa Rican Social Security Fund was struck by Hive ransomware this week, and Krebs on Security reports that the incident is affecting the national health service and medical centres are being forced to use manual processes. This comes just weeks after the Costa Rican President declared a national emergency following a mid-April Conti attack that cruelled many government services.
Cyber security company AdvIntel believes there is some sort of relationship between Hive and Conti that at the very least involves affiliates operating with both groups. Hive and Conti also have both listed victims in common on their websites, but Hive has denied any affiliation.
— Brett Callow (@BrettCallow) May 25, 2022
Updated on August 2021: Memorial Health System Cyber Incident Leads to EHR Downtime at Multiple Facilities
A healthcare system serving parts of West Virginia and Ohio was the target of a cyber incident on Sunday, August 15. Memorial Health System comprises 64 clinics, including three hospitals; all are operating under electronic health record (EHR) downtime. Urgent surgeries and other procedures have been cancelled, and emergency cases at some Memorial Health System facilities are being diverted to other hospitals.
- Hospitals are organizing into groups in order to enjoy efficiencies of scale, both in medicine and management. IT in general, and IT security in particular, is just one area that may benefit. However, consequences increase with scale. Cost of attack must increase with scale or risk surely will. This is an illustrative case. Note that EHR detail will be lost forever.
Read more in
- Hospitals hamstrung by ransomware are turning away patients
- Surgeries canceled, care diverted as Memorial Health responds to cyberattack
- Hive ransomware attacks Memorial Health System, steals patient data
Overview: FBI Alert Warns of Hive Ransomware
The FBI has released a TLP: White Flash Alert regarding the Hive ransomware, which has been used in at least 28 attacks, including the Memorial Health System in Ohio and West Virginia. The alert describes technical details about the ransomware and lists indicators of compromise.
- Read the IC3 notice to understand the behavior of this ransomware, including how it hides its actions, and IOCs to incorporate in your SIEM. Note that Hive deletes volume shadow copies including disk backup copies and snapshots. This is another case where data is exfiltrated and threats of publishing are used to further extort payment. Review your ransomware preparedness plan, making sure you’ve already established a connection/contact with your local FBI field office, rather than trying to figure that out when responding to an incident.