ALPS blog

Ransomware Spotlight: Hive

Hive ransomware is one of the new ransomware families in 2021 that poses significant challenges to enterprises worldwide. We take an in-depth look at the ransomware group’s operations and discuss how organizations can bolster their defenses against it.

While some ransomware groups operating as ransomware-as-a-service (RaaS) networks claim to steer clear of targeting specific sectors such as hospitals or other critical industries to avoid causing harm to people, Hive’s attacks against healthcare providers in 2021 showed that the operators behind it have no regard for such humanitarian considerations. A hospital in Missouri suffered a Hive ransomware attack three weeks after the same group hit the integrated systems of a healthcare provider that affected three hospitals and many outpatient clinics in two other US states. Hive ransomware has become one of the most active ransomware families since its discovery in June 2021. To defend against this threat, it is therefore crucial for companies to be acquainted with the various mechanisms that the infamous ransomware gang uses.

What do organizations need to know about Hive?

On August 15, 2021, Hive’s ransomware attacks against a non-profit integrated health system severely disrupted the clinical and financial operations of three hospitals in Ohio and West Virginia. The attack resulted in emergency room diversions and cancelation of urgent surgical cases and radiology examinations. The encryption of files forced the hospital staff to use paper charts. Aside from the three hospitals, the affected non-profit also runs several outpatient service sites and clinics with a combined workforce of 3,000 employees.

Hive operators used double extortion techniques in this attack. Aside from the encryption of data, they also stole patient information that they threatened to publish on HiveLeaks, their dedicated leak site. The gang shares the list of victims that have not paid the ransom on their Tor site.

The incident prompted the FBI to issue an alert in late August that detailed Hive ransomware’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). According to the alert, Hive operators use phishing emails with malicious attachments to gain initial access to the system and Remote Desktop Protocol (RDP) to move laterally once on the network.

The motivation of those in the cyber-underground to expand their foothold inevitably leads to the incursion of uncharted paths. In late October 2021, threat researchers discovered that Hive has new malware tools specifically developed to encrypt Linux and FreeBSD systems. The report notes that Hive is among other ransomware operators that have set their sights on Linux servers. Other notorious ransomware groups have also been known to create their own Linux encryptors.

As enterprises slowly migrate to virtual machines to achieve better device management and optimize the use of resources, targeting virtual machines also makes good business sense for RaaS operators because it enables them to encrypt multiple servers simultaneously with just one command. Researchers pointed out that Hive’s bespoke tool for Linux is not fully functional yet as it still cannot completely encrypt all files when the malware was deployed in an explicit path. However, one can expect Hive to keep refining their Linux encryptors to diversify and fortify its malware tool kit.

In January 2022, one of Europe’s largest car dealers suffered a Hive ransomware attack. The Swiss company’s name appeared as one of the victims on HiveLeaks in February. Targeting high-value enterprises has become a trend for ransomware operators as can be gleaned from the profile of the victim that reportedly generated US$3.29 billion in revenues for 2020.


Featured News