The cybersecurity division of the FBI is warning organizations of Hive ransomware, citing indicators of compromise and recent incidents. The ransomware is actively targeting healthcare systems.
The warning follows an attack by the same group on Memorial Health System in mid-August. While the healthcare system said employee and patient personal and financial information was not compromised, the attack shut its computer systems down on Aug. 15.
Hive ransomware was first observed in June 2021 and exhibits file encryption capabilities and terminates backup and file copying processes to carry out its attacks, the FBI said.
The ransomware uses various tactics such as phishing emails with malicious attachments to compromise businesses. The notes urge victims to purchase decryption software through ransom payments and threatens to leak exfiltrated victim data on the TOR site “HiveLeaks,” the FBI warns. The embedded malware gains access to the Remote Desktop Protocol (RDP) to move across the targeted network.
In addition to the phishing notes, the FBI said some victims have also received phone calls requesting payments for their files.
“Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware and/or fund illicit activities,” the FBI release said. “Paying the ransom also does not guarantee that a victim’s files will be recovered.”
The FBI identified various indicators of compromise such as applications, the domain and various files. The agency recommends (PDF) targeted organizations take certain precautions, including data backups and multi-factor authentication, and urges them to report ransomware incidents.
The alert comes as the healthcare industry has seen an uptick in cyberattacks amid the COVID-19 pandemics. Scripps Health and DuPage Medical Group also were hit by hackers this year. The agency issued a similar warning in May of Conti ransomware targeting healthcare networks.