CISA: Hive ransomware has netted more than $100 million from over 1,300 victims
Image: The Record
Jonathan Greig November 18, 2022

CISA: Hive ransomware has netted more than $100 million from over 1,300 victims

CISA: Hive ransomware has netted more than $100 million from over 1,300 victims

The Hive ransomware group has brought in more than $100 million from attacks on more than 1,300 companies worldwide from June 2021 to November 2022, according to a new joint report from several U.S. agencies.

The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services released an advisory Thursday on the ransomware-as-a-service (RaaS) group, which has made a point of going after healthcare organizations. 

The group forced a California healthcare facility to shut down in March and attacked Romania’s largest oil refinery proprietor in February

It has targeted a wide range of businesses and critical infrastructure sectors including government facilities, manufacturing, IT and more. Typically, Hive members have gained initial access to victims through phishing emails with malicious attachments.

“Once the victim organization contacts Hive actors on the live chat panel, Hive actors communicate the ransom amount and the payment deadline. Hive actors negotiate ransom demands in U.S. dollars, with initial amounts ranging from several thousand to millions of dollars,” the agencies said, adding that the group uses Bitcoin to receive payments. The group’s actors have been known to reinfect networks after a victim organizations restores service without paying the ransom.  

The group has used a variety of tactics during its attacks and has shown an ability to bypass multi-factor authentication. The advisory provides a list of vulnerabilities the group has exploited in the past, which include Fortinet bugs (CVE-2020-12812) and a range of Microsoft Exchange issues like CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523. 

The Fortinet vulnerability “enables a malicious cyber actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username,” according to the advisory. 

According to Recorded Future’s ransomware tracker, Hive is among the top ten most active ransomware groups operating currently. 

The FBI spotlighted the group in August 2021 after their members ransomed dozens of healthcare organizations last year. 

In 2021, Hive attacked at least 28 healthcare organizations, including Memorial Health System in Ohio and West Virginia, which was hit with a ransomware attack on August 15.

“Healthcare is one of the most targeted critical sectors today as shown by the recent wave of attacks on healthcare organizations,” said Aaron Sandeen, CEO of Cyber Security Works (CSW).

“CSW researchers have identified 624 vulnerabilities, 9 of which are associated with ransomware, in vendor products commonly used by healthcare providers. Healthcare vendors, and those who rely on their products, must regularly update, patch, and apply standard mitigation measures to these vulnerabilities to help prevent a ransomware attack. 

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.