Hive is a potentially devastating new type of ransomware. Here’s what you need to know.



This summer, a new type of ransomware emerged, reminding us that the world of cybercrime is constantly changing, even during a health crisis unique in a century.

Called Hive, the ransomware uses several mechanisms to compromise corporate networks. The Federal Bureau of Investigation issued an alert about the ransomware last month after it was linked to a cyberattack Memorial Health System in Marietta, Ohio. The attack shut down computer systems in the health care system, resulting in the cancellation of surgeries and x-ray examinations.

So what exactly is Hive ransomware?

“Hive is… a progression of the ransomware concept,” said Ben Denkers, executive vice president of strategy and operations at the cybersecurity consultancy. Cynergistek.

Hive is particularly damaging because it uses a multi-pronged attack approach, rather than a shotgun approach. In most cases of ransomware, the first, and sometimes the only, step is to lock the data files, but with Hive, that’s the last thing that happens, Denkers explained in a phone interview.

Instead, the cybercrime group behind the Hive ransomware attacks initially remain incognito and spend time understanding the IT environment. This involves looking at the backup processes and the backups in place. They then put an end to these defensive processes so that the organization cannot easily recover from the attack.

The group then tries to gain a foothold in the organization’s computer system, Denkers said. Strategies for doing this can include sending phishing emails with malicious attachments and targeting remote desktop protocols, that is, the technical standards for remote use of a desktop computer.

After they gain access to an organization’s computer systems, the group that deploys Hive searches for sensitive information to encrypt and exploit for ransom.

Hive works the same as other types of ransomware, like Ryuk, once it’s installed, but there is at least one key difference that could make it a more sophisticated foe.

Hive is driven by a human operator, Denkers said. While other types of ransomware are largely automated, there is a human behind the keyboard during a Hive attack, who makes decisions.

“This is what makes [the outcome of a Hive attack] potentially devastating, ”he said.

The Hive ransomware was first observed in June. Since then, the group behind the ransomware has listed 28 organizations on its website as victims, including two based in the United States, said Jeff Buss, chief information officer of the health consultancy firm. Nordic Council.

“They’re blind, in other words, they don’t have a filter saying we’re just going to go after the banks or we’re just going to go after the airlines,” Buss said in a telephone interview. “Which is not good for the health care system.”

But there is good news. Protecting yourself against Hive doesn’t mean implementing all new cybersecurity processes, but rather doubling down on existing efforts.

These include auditing the asset and intellectual property inventory and making sure you know who has access to your data and why; back up critical data to the cloud or to an encrypted external hard drive; and using two-factor authentication with strong passwords, Buss said.

“In reality, it boils down to good cyber hygiene,” he added. “Getting back to basics. “

Cynergistek’s Buss and Denkers believe there will be a slight increase in Hive ransomware attacks, but Jeremy Kennelly, senior director of the cybersecurity company Mandiant threat intelligence, is not so sure.

“There are many families of ransomware in active distribution and some of them, like Hive, are offered as part of a profit-sharing affiliate program where service operators and ransomware-deploying intruders share successful ransom payments, ”Kennelly said in an email. “Criminals who deploy ransomware can align with different services simultaneously or over time. “

Kennelly believes that Hive ransomware, in particular, is not likely to explode in popularity because the ransomware ecosystem is very competitive. Cybercriminals may not necessarily stick with Hive, but are using other types of ransomware or developing new ones that could increase ransom payments even more.

Still, the competitive nature of the ransomware arena should give healthcare systems pause, as it means the type of attacks they experience are likely to evolve and become more sophisticated. It is therefore all the more important that the installations are prepared for Hive and the next type of ransomware to appear.

Photo: traffic_analyzer, Getty Images


Leave A Reply

Your email address will not be published.