The U.S. authorities has warned of ongoing malicious exercise by the infamous Hive ransomware gang, which has extorted larger than $a hundred million from its rising itemizing of victims.
A joint advisory launched by the FBI, the U.S. Cybersecurity and Infrastructure safety agency, and the division of well being and Human companies on Thursday revealed that the Hive ransomware gang has acquired upwards of $a hundred million in ransom funds from over 1,300 victims for the motive that gang was first noticed in June 2021.
This itemizing of victims contains organizations from a quantity of industries and demanding infrastructure sectors similar to authorities amenities, communications, and knowledge expertise, with a deal with particularly healthcare and public well being entities.
Hive, which operates a ransomware-as-a-service (RaaS) mannequin, claimed the Illinois-primarily based Memorial well being System as its first healthcare sufferer in August 2021. This cyberattack pressured the well being system to divert look after emergency sufferers and cancel pressing care surgical procedures and radiology exams. The ransomware gang additionally launched delicate well being knowledge of about 216,000 sufferers.
Then, in June 2022, the gang compromised Costa Rica’s public well being service earlier than focusing on the ny-primarily based emergency response and ambulance service supplier Empress EMS the following month. Over 320,000 people had knowledge stolen, collectively with names, dates of companies, insurance coverage knowledge, and Social safety numbers.
simply final month, Hive additionally added Lake Charles Memorial well being System, a hospital system in Southwest Louisiana, to its darkish internet leak web site, the place it posted lots of of gigabytes of knowledge, collectively with affected person and worker knowledge.
Hive additionally focused Tata vitality, a extreme vitality period agency in India, in October.
The joint FBI-CISA-HHS advisory warns that Hive typically beneficial properties entry to sufferer networks by using stolen single-challenge credentials to entry group distant desktop methods, digital private networks, and completely different internet-dealing with methods. however CISA additionally warns that the ransomware group additionally skirts some multi-challenge authentication methods by exploiting unpatched vulnerabilities.
“In some circumstances, Hive actors have bypassed multi-challenge authentication and gained entry to FortiOS servers by exploiting CVE-2020-12812,” the advisory says. “This vulnerability permits a malicious cyber-actor to log in with no immediate for the person’s second authentication challenge (FortiToken) when the actor modifications the case of the username.”
The advisory additionally warns that Hive actors have been noticed reinfecting victims that restored their environments with out paying a ransom, both with Hive or one other ransomware variant.
Microsoft’s risk Intelligence coronary heart (MSTIC) researchers warned earlier this yr that Hive had upgraded its malware by migrating its code from Go to the Rust programming language, enabling it to make the most of a extra complicated encryption methodology for its ransomware as a service payload.
The U.S. authorities shared Hive indicators of compromise (IOCs) and methods, strategies, and procedures (TTPs) found by the FBI to assist defenders detect malicious exercise associated to Hive associates and scale again or remove the influence of such incidents.