CISA Cybersecurity Alerts 11.17.22
Ep 37 | 11.17.22

CISA Alert AA22-321A – #StopRansomware: Hive Ransomware.


This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Three Two One Alpha.

Original release date: November Sixteenth, twenty twenty two.

The FBI, CISA, and the Department of Health and Human Services are releasing this alert to disseminate known Hive Ransomware Group indicators of compromise and TTPs identified through FBI investigations.

As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately 100 million dollars in ransom payments. Hive ransomware follows the ransomware-as-a-service model. Hive developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health organizations.

The method of initial intrusion depends on which affiliate targets the network. Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol, virtual private networks, and other remote network connection protocols. In some cases, Hive actors have bypassed multifactor authentication with a known vulnerability that allows malicious cyber actors to log in without a prompt for the user’s second authentication factor.

Hive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments and by exploiting known vulnerabilities against Microsoft Exchange servers.

The alert documentation linked in the show notes includes these known exploited vulnerabilities, indicators of compromise, TTPs, and mitigation actions. FBI, CISA, and HHS encourage organizations to implement the recommendations in the Mitigations section of this alert to reduce the likelihood and impact of ransomware incidents. Victims of ransomware operations should report the incident to their local FBI field office or CISA.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at, or call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.