Active U.S. health care hackers 'Hive' disrupted by feds

Hundreds of cyberattacks have been reported against healthcare systems, but federal authorities say a “21st century cyber stakeout” thwarted a notorious group targeting hospitals and other critical infrastructure.

The U.S. Justice Department announced Thursday that the FBI managed to break into the networks of Hive, a ransomware group that has threatened health systems, financial companies, and schools around the world.

The FBI managed to penetrate Hive’s systems, recover decryption keys and offered those tools to victims. The FBI’s success prevented victims from having to pay $130 million in ransom payments, the justice department said.

John Riggi, the American Hospital Association’s national adviser for cybersecurity and risk, hailed the FBI’s success in disrupting the HIVE group. Scores of hospitals have been hit by ransomware attacks.

“The disruption and dismantlement of the Hive ransomware by the FBI, the U.S. Department of Justice and international partners is welcome news and will help make hospitals safer against high-impact ransomware attacks, which have disrupted health care delivery and jeopardized patient safety,” Riggi said in a statement.

The federal government reported hundreds of breaches of private health information in 2022, affecting millions of Americans.

In a survey of healthcare IT professionals released earlier this month, nearly half said their organizations experienced a ransomware attack in the past two years. Among those who said they had been hit with a ransomware attack, 45% said the attacks led to patient complications, according to the survey by the Ponemon Institute.

The Justice Department said the FBI distributed over 1,000 additional decryption keys to previous Hive victims. And the department said it coordinated with law enforcement agencies in Germany and the Netherlands to hamper Hive’s ability to communicate with its members by seizing servers and websites Hive has used.

Deputy Attorney General Lisa O. Monaco said in a statement that the success of federal authorities should send a reassuring message to victims and a warning to other cybercriminals.

“In a 21st century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million dollars in ransomware payments,” Monaco said. “We will continue to strike back against cybercrime using any means possible and place victims at the center of our efforts to mitigate the cyber threat.”

The Hive group has been all too successful. Since June 2021, the Hive group has targeted more than 1,500 victims around the world and received more than $100 million in ransom payments.

“Cybercrime is a constantly evolving threat," Attorney General Merrick Garland said in a statement. "But as I have said before, the Justice Department will spare no resource to identify and bring to justice, anyone, anywhere, who targets the United States with a ransomware attack.

The Department of Health & Human Services sent an advisory in April 2022 warning hospitals and healthcare providers about the Hive group.

Hive “has been very aggressive in targeting the U.S. health sector,” the HHS Cybersecurity Program advisory said.

Ransomware gangs have demanded payments to restore systems, or have threatened to release private health information from patients unless they are paid, experts say.

Hospitals have been hampered by ransomware payments all too frequently, said Lee Kim, the senior principal, cybersecurity and privacy at the Healthcare Information and Management Systems Society (HIMSS).

“The threat of ransomware hasn't gone away,” Kim told Chief Healthcare Executive in a December interview.

“Certainly the extortion techniques that are used to try to force hospital systems to pay ransom, that’s certainly in vogue at the current time," she said. "I think as we look at the past incidents in this past year, obviously, ransomware is among them.”

Health systems are making progress in defending against cyberattacks, but too many are vulnerable, Kim said.

“We do see some organizations that essentially are probably applying a wait-and-see approach because they haven't been breached yet,” Kim said.