HHS cybersecurity center notes “very aggressive” threat by Hive hacking group

Ransomware groups targeting health organizations, physicians’ offices.

The U.S. Department of Health and Human Services (HHS) is warning health care providers about an aggressive cybersecurity threat.

The HHS Heath Sector Cybersecurity Coordination Center (HC3) published an analyst note about Hive, known to be operation since June 2021 and “very aggressive in targeting the U.S. health sector.”

“Hive is an exceptionally aggressive, financially motivated ransomware group known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently,” the HC3 warning said. The center cited reports of Hive’s activities, including one that ranked Hive fourth most active among ransomware operators in the third quarter of 2021.

The HC3 note said Hive conducts double extortion, with data theft prior to encryption, and support it with a data leak site accessible on the dark web.

“They operate via the ransomware as a service (RaaS) model, which involves them focusing on development and operations of the ransomware and other partners/affiliates to obtain initial access to the victim infrastructure,” the HC3 note said.

Hive encrypted files end with a .hive, .key.hive or .key extension.

“Some victims have received phone calls from Hive to pressure them to pay and conduct negotiations,” the HC3 warning said. “Like some other ransomware variants, Hive searches victim systems for applications and processes which backup data and terminates or disrupts them. This includes deleting shadow copies, backup files, and system snapshots.”

HC3 also recommended prevention as the optimal defense against ransomware variants. Health care computer networks should use measures such as strong passwords and two-factor authentication, sufficiently backing up data and continuous monitoring.

HC3 published the Hive note on April 18.

The agency this month published a warning to health care systems about the hacking group known as Lapsus$. That group uses diverse techniques and has targeted large firms, including Microsoft.

In March, HC3 issued an alert about the ransomware group Conti, which “has aggressively targeted healthcare organizations since it was first observed in 2019.”

There were not specific or credible threats at the time, but HC3 said U.S. cybersecurity agencies fully expect Conti’s aggressive hacking to continue.