FBI Issues Flash Alert on Hive Ransomware Group

The FBI warned organizations about Hive, the ransomware group identified as the culprit behind the recent cyberattack on Memorial Health System.

In a flash alert, the FBI noted that the group’s primary tactics include sending phishing emails to gain access to networks and using Remote Desktop Protocol to initiate network lateral movement. 

According to the intelligence agency, upon successful encryption of an organization’s files, Hive leaves a ransom note instructing victims on how to purchase the necessary decryption software. 

The ransomware group threatens to leak exfiltrated victim data on the Tor site “HiveLeaks” if victims fail to deliver the payment within the given deadline, which is usually two to six days, HealthITSecurity reported Tuesday. 

The FBI’s alert lists common indicators of compromise, including files disguised as applications supporting enterprise operations. On account of potentially malicious files, the agency advised organizations to remove any application not deemed necessary for day-to-day operations.

Hive was first observed in June and became prominent following the mid-August attack on computers of the non-profit Memorial Health System, which consists of Marietta Memorial Hospital, Selby General Hospital and Sistersville General Hospital.

Bleeping Computer reported that attackers were able to steal databases with sensitive and personal information belonging to 200,000 patients. The attack also led to the cancelation of urgent surgical cases and radiology exams.

When faced with ransomware attacks, the FBI discouraged organizations from agreeing to the terms of the malicious actors as there is no guarantee of the stolen files being recovered. Organizations are advised to report ransomware incidents to local FBI offices and implement measures like isolating the infected system to limit potential risks.