Hive is dangerous new ransomware threat, FBI says

Hive ransomware is a new emerging threat to organizations, the FBI said in a warning to cyber security professionals.

First seen in June of this year, Hive presents "significant challenges" due to its use of a variety of tactics, techniques and procedures, or so-called TTPs, the FBI said in the advisory.

After gaining access to a victim network, Hive leaves a ransom note in an affected system’s directories with instructions on how to purchase software to unlock the files, the FBI said. The note also threatens to leak the victim's stolen data. On occasion, victims have reported getting phone calls requesting payment.

Phishing email with malicious attachments is a common Hive tactic to gain access to a network, according to the advisory. 


FILE - The FBI headquarters is seen on Feb. 2, 2018 in Washington, DC.

RELATED: Tech, finance leaders meeting with Biden to talk cybersecurity defense

Hive is classified as double-extortion ransomware, according to a report from Palo Alto Networks’ Unit 42. 

Conventional ransomware encrypts data so it is no longer accessible by a victim organization, then demands a ransom in return for a decryption key.  Double extortion goes further by making threats to leak the data. This is meant to increase the pressure on victims to pay the ransom. 

"Hive uses all tools available in the extortion toolset to create pressure on the victim, including the date of initial compromise, countdown, the date the leak was actually disclosed on their site, and even the option to share the disclosed leak on social media," according to the Unit 42 report.

Since June, Hive has affected 28 organizations, which are listed on the group’s extortion site, Unit 42 said. Those organizations include a European airline and three U.S.-based organizations.

RELATED: FBI warns of ransomware uptick ahead of Labor Day holiday

Hospitals are some of the most vulnerable targets. 

"This new strain of ransomware may be of particular concern for health care," John Riggi, AHA senior advisor for cybersecurity and risk, said in a statement referring to Hive. "The FBI and AHA strongly discourage payment of ransom if at all possible," Riggi said.

Last month, Memorial Health System (MHS), an Ohio-based hospital chain, was forced to shut down IT systems and cancel surgeries in the wake of a ransomware attack.

MHS suspended access to critical IT systems and was reduced to working with paper charts. The attack resulted in disruptions to clinical and financial operations.

Organizations should be on high alert on Labor Day weekend, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI said in a separate advisory.

CISA and the FBI urged businesses to be "especially diligent" about their network security practices. While officials said they were not currently aware of a specific threat, they said there is a trend of serious ransomware attacks on holidays when offices are typically closed.