An alert has been issued by the FBI regarding Hive ransomware after the gang crippled the networks of Memorial Health System. Hive is a relatively new ransomware using phishing emails laden with malicious attachments for obtaining access to target networks.

Alert

Hive group has targeted at least 28 organizations, with most of its victims falling in the healthcare sector. It damages systems and backups and then leads the victims to a link with a live chat with the individuals behind the attack.

Most victims face a ransom deadline of two to six days. This deadline of two to six days can be extended further by negotiating with the attackers. some victims have been called manually by the attackers to pressurize them into paying the ransom.

Mode of Operation

Hive actors use RDP to move laterally inside the network. After successfully penetrating the network, the attackers steal information and encrypt the targeted files. The encrypted files are renamed with the .hive extension.

Hive ransomware searches for backup-related processes, anti-virus/spyware, and file copying, and terminates these processes for file encryption. They leave a ransom note in every infected directory, which provides details on how to obtain the decryption software.

The FBI’s warning about the Hive ransomware group recommends backing up critical data offline and in the cloud. It urges organizations to use 2FA and strong passwords, including for remote access services, wherever possible. Furthermore, a response plan in the event of ransomware attacks should be kept handy.