The HHS’ Office of Information Security Health Sector Cybersecurity Coordination Center (HC3) has given a TLP: White alert concerning the Hive ransomware group – An especially violent cybercriminal operation that has greatly targeted the healthcare market in the United States.
HC3 has shown a study of the tactics, techniques, and procedures (TTPs) recognized to be employed by the ransomware gang during their attacks and has talked about cybersecurity guidelines and mitigations that could be followed to boost strength against Hive ransomware attacks.
The Hive ransomware gang has been executing attacks since around June 2021. The group is known for employing double extortion tactics, exfiltrating sensitive information prior to file encryption and issuing threats to post the data when the ransom isn’t settled. The group is additionally identified to speak to victims on the phone to force them into paying the ransom.
Hive is a ransomware-as-a-service (RaaS) operation with affiliates recruited to perform attacks on the gang’s behalf to get a portion of the revenue that is gained, which enables the main members of the group to target growth and operations.
Having affiliates having diverse expertise suggests an assortment of TTPs are utilized to obtain access to sites; nonetheless, the group most frequently employs Remote Desktop Protocol, phishing emails, and VPN compromise in their attacks. When access to networks is obtained, compromised systems are dug into to discover applications and processes needed in backing up information, and then those processes and applications are finished or disturbed. Shadow copies, backup files, and system snapshots are likewise removed to make it more challenging for victims to recover without ransom payment.
The ransomware is actively designed, and a few attributes and practices were used to stop examination of the ransomware, interception and keeping track of talks with victims, and the group has implemented a new IPv4 obfuscation tactic – IPfuscation – to make their attacks more sneaky.
Protecting against Hive ransomware attacks calls for normal cybersecurity best practices to be adopted, which include the following:
- Modifying standard passwords and using strong passwords
- Using 2-factor authentication, specifically for remote access services
- Giving the employees standard security awareness training
- Producing a number of copies, examining those backups, and keeping backups offline
- Make sure there is constant tracking, reinforced by a continuous input of threat data
- Employing a detailed vulnerability management program and putting first identified exploited vulnerabilities
- Making certain software and operating systems are current
- Using detailed endpoint security solutions that are automatically kept up to date with the newest signatures/changes.