![]() ![]() They are delivered via phishing or emails in order to establish initial access. Cobalt Strike implants are most often the tool of choice. We can’t put the toothpaste back in the tube for Memorial Health Systems, but we can at least contribute a breakdown of the Hive operators’ preferred techniques and a deep dive into their ransomware toolkit to help other potential victims. HiveLeaks site showing the timer before releasing victim files As of the time of writing, there are 30 companies currently named on the HiveLeaks site. Hive’s schemes have proven successful so far as multiple leaks are currently posted on their victim blog. This allows them to pressure the victim into paying greater sums than a conventional ransomware attack as they also face the threat of a mass leak of sensitive data. Hive is yet another double extortion group, making their money off of a two-pronged attack: exfiltrating sensitive data before locking up the victims’ systems. Hive or “HiveLeaks” is a relatively new ransomware outfit that made its appearance on the scene in late June, 2021. ![]() Memorial Health Systems open statement on ransomware attack Who is Hive? This is a human-operated ransomware attack designed to take input from the command line, indicating the attackers are both aware of the environment and tailoring their attacks for maximum impact. While some ransomware attacks hitting public health and critical infrastructure targets can be the result of a shotgun approach to targetting – mass phishing campaigns that execute malware blindly on victim devices without awareness of the victim environment – that is not the case with Hive. As a result, the hospital was forced to advise some patients to seek treatment at separate facilities. On August 15, 2021, news broke of a Hive campaign against Memorial Health System, an Ohio healthcare provider. While many active ransomware groups have committed to forgoing attacks on medical targets in deference to the current global situation, Hive is not one of them. Hive remains active with as many as 30 victim companies listed on its Hive Leaks onion site at the time of writing.This report offers an overview of Hive TTPs as well as a reverse engineering deep dive into the ransomware payloads.Hive ransomware is written in Go to take advantage of the language’s concurrency features to encrypt files faster.The group is notable in its undiscerning choice of targets, having no limits when it comes to healthcare providers and hospitals, as evidenced in a recent attack on Memorial Health System hospitals in Ohio.Hive is a double-extortion ransomware group that first appeared in June 2021.By Jim Walter & Juan Andres Guerrero-Saade Executive Summary ![]()
0 Comments
Leave a Reply. |