The FBI has released an alert about the Hive ransomware after the group took down Memorial Health System last week.
The alert explains that Hive is affiliate-operated ransomware first seen in June that deploys "multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol to move laterally once on the network."
"After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim's system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, 'HiveLeaks,'" the FBI explained.
"Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. The encrypted files commonly end with a hive extension."
The alert explains how the ransomware corrupts systems and backups before directing victims to a link to the group's "sales department" that can be accessed through a TOR browser. The link brings victims to a live chat with the people behind the attack, but the FBI noted that some victims have even been called by the attackers demanding ransoms.
Most victims face a payment deadline ranging between two and six days, but others were able to extend their deadlines through negotiation.
The group operates a leak site that they use to threaten victims into paying. The FBI included indicators of compromise, a link to the leak site and a sample of a ransom note given to a victim.
John Riggi, American Hospital Association senior advisor for cybersecurity, said the new Hive ransomware is particularly concerned for healthcare organizations. Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15. The non-profit runs a number of hospitals, clinics and healthcare sites across Ohio and West Virginia.
CEO Scott Cantley said in a statement that staff at three hospitals -- Marietta Memorial, Selby, and Sistersville General Hospital -- were forced to use paper charts. At the same time, their IT teams worked to restore their systems.
All urgent surgical cases and radiology exams for Monday, August 16, were cancelled because of the attack. Memorial Health System Emergency Departments were forced to go on diversion due to the attack. Marietta Memorial Hospital agreed only to keep taking patients suffering from strokes and trauma incidents.
Anyone else in need of help simply had to be transported to other hospitals. The FBI, CISA and cybersecurity experts helped the hospital respond to the attack.
In a statement three days later, Cantley said the hospital system "reached a negotiated solution and are beginning the process that will restore operations as quickly and as safely as possible."
He later admitted to The Marietta Times that the hospital paid a ransom to receive the decryption keys.
"We have completed an agreement and received the keys to unlock our servers and begin to process recovery. The FBI has their suspicions of an Eastern European entity that is relatively new and sophisticated," Cantley explained.
"It's good news for our staff to get our tools back. We have 800 servers and more than 3000 personal devices that our physicians use to serve patients. We will keep services to essential, and next week we should be back to typical services. We continue to serve our patients with great care in the face of adversity."
The hospital's systems were brought back online by the weekend, and Cantley said there was no "indication that any patient or employee data has been publicly released or disclosed."
"Unfortunately, many health care organizations are confronting the impacts of an evolving cyber threat landscape," Cantley said.