Joint agency warning on Hive ransomware.
N2K logoNov 18, 2022

FBI, CISA, and HHS released joint Cybersecurity Advisory #StopRansomware: Hive Ransomware yesterday afternoon, detailing IOCs and TTPs of the Hive ransomware group.

Joint agency warning on Hive ransomware.

Yesterday afternoon, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) released a joint Cybersecurity Advisory (CSA) on the Hive ransomware group. The advisory provides indicators of compromise (IOCs) and techniques, tactics, and procedures (TTPs) identified through FBI investigations.

Hive is a ransomware-as-a-service operation.

According to the advisory, as of November 2022, over 1,300 companies have fallen victim to Hive ransomware actors, and the group has received $100 million in ransom payments. The advisory says, “Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).” The group exploited Microsoft Exchange Server vulnerabilities CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523. The advisory also lists IOCs and TTPs specific to the group.

Mitigations for Hive ransomware.

FBI, CISA, and HHS provide mitigations for the Hive ransomware, including verifying Hive actors no longer have access to the network, installing updates for operating systems, software, and firmware as soon as possible, and requiring phishing-resistant multifactor authentication (MFA).

An audio version of this Joint Advisory is available on the CyberWire.

Added, 12:30 PM, November 18th, 2022.

Lior Yaari, CEO and co-founder of Grip Security, sees Hive's operations as effectively amounting to an argument for the inadequacy of relying on passwords for secure access. “Hive ransomware gains initial access using compromised credentials and this demonstrates how fragile logins and passwords are in the modern age. Companies can take steps to greatly reduce this risk by rotating passwords, but this simple task is not very straightforward due to the hundreds of accounts and passwords people have these days. Until there is a solution that addresses this huge problem in security, we will continue to see identity-based attack methods proliferate and realize even bigger illicit profits.”  

Added, 3:15 PM, November 18th, 2022.

Roger Grimes, data-driven defense evangelist at KnowBe4, thoroughly approves of the advisory, but thinks it might have taken note of the way training and education can help arm employees against social engineering: “Regarding the recent joint announcement on Hive ransomware, it really is a great document and I applaud all the involved agencies. They are really doing a great job. My only grievance is that even although the document acknowledges that one of the primary initial access methods for Hive is phishing emails with malware attachments, in the rest of the document, they don't recommend educating end users on how to recognize phishing threats and not to open suspicious files, which is the single best recommendation you could make to stop that type of attack. It's part of the reason why people don't do better with stopping phishing attacks, because we literally aren't telling defenders to do it."