Who is the Hive Ransomware Group?
Hive Ransomware is a RaaS (Ransomware as a Service) organization that steals sensitive data before encrypting it for ransom. They use an affiliate system and give affiliates access to an admin dashboard to manage attacks.
How does the Hive Group work?
The FBI reported that the Hive Group launched a cyberattack on the targeted network using a variety of tactics, techniques, and procedures (TTP). The analysis shows that the Hive Ransomware Group operates in the following pattern:
- First, they employ phishing in their attacks to gain initial access.
- After Hive successfully obtains the user's network credentials, they use the Remote Desktop Protocol (RDP) to laterally infect the network.
- Next, Hive terminates computer backup and restore, antivirus, and antispyware software to avoid anti-malware.
- Then Hive creates batch files called hive.bat and shadow.bat that instruct the computer to delete the Hive executable, disc backup copies, or snapshots, and the batch files after encrypting and saving the files with a .hive extension. This practice protects and erases what could be forensic evidence.
- Finally, Hive drops a ransom note, HOW TO DECRYPT.txt, into each affected directory. The notice states that without the master key, which is in the cybercriminal's possession, encrypted files cannot be decrypted. The victims must pay a ransom to get the key through the link in the letter.
What are some of the Hive Group’s previous attacks?
A joint statement released by the FBI, the U. S. Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services revealed that since June 2021, Hive has targeted over 1,500 victims worldwide, amounting to over $100 million in ransom payments. Some of the previous attacks by the Hive ransomware group include the following:
- Hive attacked Illinois-based Memorial Health System as its first healthcare victim in August 2021. During the attack, the Hive group released sensitive data of 216,000 patients causing the health system to divert care and cancel appointments.
- In September 2021, they stole and posted patients’ personal health information, such as Social Security numbers, names, and medication information via an attack on Missouri Delta Medical Center.
- Also, in June 2022, the group attacked Costa Rica's public health services before attacking Empress EMS the following month. The attack led to the loss of over 320,000 people's data, including names, service dates, insurance information, and social security numbers.
- In October 2022, Hive attacked Lake Charles Memorial Health System in Southwest Louisiana on its dark web leak site, where it leaked data that included patient and employee information.
- In October 2022, Hive attacked Tata Power, India's top power generation company.
How does the Hive group respond to victims who do not comply with ransom payment?
Hive publishes data stolen from victims who do not comply with their ransom demand on the TOR leak site. 2021 research showed that Hive had attacked 355 organizations, but only 55 were published on their TOR leaked site.
Which countries and industries are Hive’s targets?
The Hive Group's attack record showed that nearly 30 countries were affected. The USA tops the list with 93 attacks. The analysis also showed that the Hive Group focused primarily on four industries. Of over 30 targeted industries, Healthcare, Information Technology, Education, and Manufacturing were targeted most.
What is the Department of Justice's commitment to cybercrime prevention?
The Department of Justice (DOJ) is committed to identifying and bringing to justice any ransomware attackers that target the United States. The department is committed to preventing these attacks and providing support for victims.
How has the DOJ helped victims of ransomware group attacks?
The DOJ stated that since July 2022, the FBI has been able to penetrate Hive's network, get decryption keys, and give them to victims. They have distributed over 1000 decryption keys, saving victims $130 million in ransom demands. Also, the DOJ, in conjunction with law enforcement from Germany and Netherlands, seized control of the servers and websites Hive uses to communicate with members.