Hive ransomware actors have extorted over $100M from victims, says FBI

The U.S. government has warned of ongoing malicious activity by the notorious Hive ransomware gang, which has extorted more than $100 million from its growing list of victims.

A joint advisory released by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services on Thursday revealed that the Hive ransomware gang has received upwards of $100 million in ransom payments from over 1,300 victims since the gang was first observed in June 2021.

This list of victims includes organizations from a wide range of industries and critical infrastructure sectors such as government facilities, communications, and information technology, with a focus on specifically healthcare and public health entities.

Hive, which operates a ransomware-as-a-service (RaaS) model, claimed the Illinois-based Memorial Health System as its first healthcare victim in August 2021. This cyberattack forced the health system to divert care for emergency patients and cancel urgent care surgeries and radiology exams. The ransomware gang also released sensitive health information of about 216,000 patients.

Then, in June 2022, the gang compromised Costa Rica’s public health service before targeting New York-based emergency response and ambulance service provider Empress EMS the following month. Over 320,000 individuals had information stolen, including names, dates of services, insurance information, and Social Security numbers.

Just last month, Hive also added Lake Charles Memorial Health System, a hospital system in Southwest Louisiana, to its dark web leak site, where it posted hundreds of gigabytes of data, including patient and employee information.

Hive also targeted Tata Power, a top power generation company in India, in October.

The joint FBI-CISA-HHS advisory warns that Hive typically gains access to victim networks by using stolen single-factor credentials to access organization remote desktop systems, virtual private networks, and other internet-facing systems. But CISA also warns that the ransomware group also skirts some multi-factor authentication systems by exploiting unpatched vulnerabilities.

“In some cases, Hive actors have bypassed multi-factor authentication and gained access to FortiOS servers by exploiting CVE-2020-12812,” the advisory says. “This vulnerability enables a malicious cyber-actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.”

The advisory also warns that Hive actors have been observed reinfecting victims that restored their environments without paying a ransom, either with Hive or another ransomware variant.

Microsoft’s Threat Intelligence Center (MSTIC) researchers warned earlier this year that Hive had upgraded its malware by migrating its code from Go to the Rust programming language, enabling it to use a more complex encryption method for its ransomware as a service payload.

The U.S. government shared Hive indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) discovered by the FBI to help defenders detect malicious activity associated with Hive affiliates and reduce or eliminate the impact of such incidents.