FBI releases alert about Hive ransomware after assault on hospital system in Ohio and West Virginia
The FBI has launched an alert in regards to the Hive ransomware after the group took down Memorial Well being System final week.
The alert explains that Hive is an affiliate-operated ransomware first seen in June that deploys “a number of mechanisms to compromise enterprise networks, together with phishing emails with malicious attachments to realize entry and Distant Desktop Protocol to maneuver laterally as soon as on the community.”
“After compromising a sufferer community, Hive ransomware actors exfiltrate knowledge and encrypt information on the community. The actors go away a ransom observe in every affected listing inside a sufferer’s system, which offers directions on the best way to buy the decryption software program. The ransom observe additionally threatens to leak exfiltrated sufferer knowledge on the Tor web site, ‘HiveLeaks,'” the FBI defined.
“Hive ransomware seeks processes associated to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted information generally finish with a .hive extension.”
The alert explains how the ransomware corrupts methods and backups earlier than directing victims to a hyperlink to the group’s “gross sales division” that may be accessed by way of a TOR browser. The hyperlink brings victims to a dwell chat with the individuals behind the assault, however the FBI famous that some victims have even been known as by the attackers demanding ransoms.
Most victims face a cost deadline ranging between two and 6 days however others have been in a position to prolong their deadlines by way of negotiation.
The group operates a leak web site that they use to threaten victims into paying. The FBI included indicators of compromise, a hyperlink to the leak web site and a pattern of a ransom observe given to a sufferer.
John Riggi, American Hospital Affiliation senior advisor for cybersecurity, mentioned the brand new Hive ransomware is of explicit concern for healthcare organizations. Hive has to date attacked at the very least 28 organizations, together with Memorial Well being System, which was hit with a ransomware assault on August 15. The non-profit runs a variety of hospitals, clinics and healthcare websites throughout Ohio and West Virginia.
CEO Scott Cantley mentioned in an announcement that employees at three hospitals — Marietta Memorial, Selby, and Sistersville Basic Hospital — have been compelled to make use of paper charts whereas their IT groups labored to revive their methods.
All pressing surgical instances and radiology exams for Monday, August 16 have been cancelled due to the assault. Memorial Well being System Emergency Departments have been compelled to go on diversion because of the assault, with Marietta Memorial Hospital agreeing solely to maintain taking sufferers affected by strokes and trauma incidents.
Anybody else in want of assist merely needed to be transported to different hospitals. The FBI, CISA and cybersecurity consultants helped the hospital reply to the assault.
In an announcement three days later, Cantley mentioned the hospital system “reached a negotiated resolution and are starting the method that may restore operations as shortly and as safely as doable.”
He later admitted to The Marietta Instances that the hospital paid a ransom to obtain the decryption keys.
“We have now accomplished an settlement and acquired the keys to unlock our servers and start to course of restoration. The FBI has their suspicions of an Jap European entity that’s comparatively new and complex,” Cantley defined.
“It is excellent news for our employees to get our instruments again. We have now 800 servers and greater than 3,000 private gadgets that our physicians use to serve sufferers. We’ll maintain companies to important and subsequent week we needs to be again to typical companies. We proceed to serve our sufferers with nice care within the face of adversity.”
The hospital’s methods have been introduced again on-line by the weekend and Cantley mentioned there was no “indication that any affected person or worker knowledge has been publicly launched or disclosed.”
“It’s unlucky that many well being care organizations are confronting the impacts of an evolving cyber menace panorama,” Cantley mentioned.