FBI Alerts About Hive Ransomware Attacks On Healthcare Systems

Hive has so far attacked at least 28 organizations, including Memorial Health System, on August 15.

he alert explains that Hive is affiliate-operated ransomware first seen in June that deploys “multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol to move laterally once on the network.”

“After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, ‘HiveLeaks,'” the FBI explained.

“Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a hive extension.”

The alert explains how the ransomware corrupts systems and backups before directing victims to a link to the group’s “sales department” that can be accessed through a TOR browser. The link brings victims to a live chat with the people behind the attack, but the FBI noted that some victims have even been called by the attackers demanding ransoms.

Most victims face a payment deadline ranging between two and six days, but others were able to extend their deadlines through negotiation.

The group operates a leak site that they use to threaten victims into paying. The FBI included indicators of compromise, a link to the leak site and a sample of a ransom note given to a victim.

CEO Scott Cantley said in a statement that staff at three hospitals — Marietta Memorial, Selby, and Sistersville General Hospital — were forced to use paper charts. At the same time, their IT teams worked to restore their systems.

All urgent surgical cases and radiology exams for Monday, August 16, were cancelled because of the attack. Memorial Health System Emergency Departments were forced to go on diversion due to the attack. Marietta Memorial Hospital agreed only to keep taking patients suffering from strokes and trauma incidents.

Anyone else in need of help simply had to be transported to other hospitals. The FBI, CISA and cybersecurity experts helped the hospital respond to the attack.

In a statement three days later, Cantley said the hospital system “reached a negotiated solution and are beginning the process that will restore operations as quickly and as safely as possible.”