The FBI on Wednesday released an advisory on Hive ransomware about a week after the threat group took down systems at Memorial Health System in Ohio and West Virginia.
In its statement, the FBI said hive ransomware was first observed in June 2021 and operates as an affiliate-based ransomware. As a precaution, the FBI recommends removing any application not deemed necessary for day-to-day operations.
Palo Alto’s Unit 42 reports that Hive has impacted 28 organizations that are now listed on the group’s extortion site, including a European airline company and three organizations based in the United States.
The FBI said Hive ransomware uses a wide variety of tactics, techniques, and procedures (TTPs), which creates significant challenges for defenders. The ransomware compromises business networks in multiple ways, including phishing emails with malicious attachments to gain access and remote desktop protocol (RDP) to move laterally once it gains access to the network.
After compromising a network, the FBI said Hive exfiltrates data and encrypt files on the network. The threat actors leave a ransom note in each affected directory within a victim’s system, which gives instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, HiveLeaks.
What organizations should pay attention to in these advisories are not only static indicators of attack, but also how adversaries like Hive are getting into the network, said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows. Nikkel said since the threat actors rely on executables, security teams should sandbox them or inspect on inbound email.
“Users should be trained not to open attachments from emails, especially executables, and not have privileges to do so anyway,” Nikkel said. “Security teams should also look at how to hunt for behavioral indicators, including checks on common services that are modified or deleted and looking for commands that can be seen through endpoint monitoring or system logs. IOCs like domains or IPs can change over time. Still, the tactics and behaviors can often stay the same and lead to higher fidelity information about that system's chances of compromise.”
Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, said businesses need to take ransomware seriously as it will continue on as the largest cyber threat we face. Carson said it only takes one employee with local admin privileges clicking on a malicious email attachment to take down an entire organization.
“By ensuring that a comprehensive system for monitoring and controlling privileged access credentials is in place, organizations can greatly lower the success rate and risks of a ransomware attack,” Carson said. “If attackers do gain initial access to a network, they’ll begin to look for ways to escalate their privileges to fully compromise a network and spread the attack. Privileged access management tools can slow that spread and keep ransomware contained at its inception point.”
Dave Cundiff, vice president, member success at Cyvatar, said each one of the indicators of compromise in the FBI notice can be prevented with very simple steps: 7Zip not being allowed to run because it is not approved software, and preventing Microsoft Defender from being disabled with policy configurations for the endpoint.
“While a foundational holistic approach would provide a very formidable level of protection against these types of attacks, as the mutations of attacks continues, they will continue to be different combinations of existing TTPs,” said Cundiff.