Ransomware threats in healthcare are not new, but there is a strong, super-aggressive cybercrime group called Hive that is doubling down and targeting healthcare relentlessly. On Monday April 18, HHS’s Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note about Hive, with advice about how to prevent attacks. This follows two earlier alerts about Hive ransomware in healthcare, one from the FBI in August, 2021 and one from HC3 in October, 2021.
“Hive is an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently,” the note warned.
“HC3 recommends the Healthcare and Public Health (HPH) Sector be aware of their operations and apply appropriate cybersecurity principles and practices found in this document in defending their infrastructure and data against compromise.”
Hive has been known to be operating since June, 2021, and since then has been responsible for hundreds of attacks. One report notes they are the 4th most active ransomware operator in the cybercriminal ecosystem.
Some of the major healthcare attacks from Hive include:
- Memorial Health System in August, 2021 – The cyberattack impacted over 215,000 individuals and resulted in significant cancellations and ambulance diversions.
- Missouri Delta Medical Center in September, 2021 – The Medical Center reported that an unauthorized party stole information from its servers. Hive then began posting patient information online, including medical information, names, and Social Security numbers.
- Partnership HealthPlan of California in March, 2022 – Hive claimed responsibility for stealing 850,000 personally identifiable information (PII) records from the health plan.
The following information is excerpted from HC3. Hive operations include the following features (read the HC3 analyst note for more features):
- They conduct double extortion (data theft prior to encryption) and support this with their data leak site which is accessible on the dark web
- They operate via the ransomware as a service (RaaS) model, which involves them focusing on development and operations of the ransomware and other partners/affiliates to obtain initial access to the victim infrastructure
- They leverage common (but effective) infection vectors such as RDP and VPN compromise as well as phishing
- Their encrypted files end with a .hive, .key.hive or .key extension
- Some victims have received phone calls from Hive to pressure them to pay and conduct negotiations
- Like some other ransomware variants, Hive searches victim systems for applications and processes which backup data and terminates or disrupts them. This includes deleting shadow copies, backup files, and system snapshots
When defending against Hive or any other ransomware variant, there are standard practices that should be followed. Prevention is always the optimal approach. This includes but is not limited to the following:
- Use two-factor authentication with strong passwords – this is especially applicable for remote access services such as RDP and VPNs. (remote desktop protocol and virtual private network).
- Sufficiently backing up data, especially the most critical, sensitive and operationally necessary data is very important. We (HC3) recommend(s) the 3-2-1 Rule for the most important data: Back this data up in three different locations, on at least two different forms of media, with one of them stored offline.
- Continuous monitoring is critical, and should be supported by a constant input of threat data (open source and possibly proprietary as well).
Risk Management Can Prevent Ransomware
Prevention can work. HIPAA Risk Management is a blueprint for defending against cybercrime. All of the tips provided by HC3 and the FBI are included in a full HIPAA Risk Analysis and Risk Management program. Follow the HIPAA Security Rule, use the Security Rule Checklist, and review your contingency plan. We can answer your questions if you need help.