SEPTEMBER 14, 2021

Healthcare vs. HIVE Ransomware: How to Protect Yourself

The healthcare industry is not immune from ransomware even though many ransomware gangs have discouraged the use of their variants to target these organizations. This is because their attacks are especially high profile and potentially life-threatening.

It’s estimated that ransomware attacks cost the industry $21B in 2020 with 92 known ransomware attacks impacting more than 600 separate healthcare organizations and compromising upwards of 18 million patient records.

Attacks are happening now, with serious implications for patients, healthcare workers, and the health and well-being of the organization. And as cybercriminals begin to expand the target radius of their attacks looking for susceptible targets even more networks, hospitals, and clinics could find themselves inside the crosshairs.

AvosLocker is one of the new ransomware variants that specifically targets healthcare organizations. Unlike other ransomware variants that infect a network and immediately cripple functionality, AvosLocker slowly encrypts each file in a command prompt window on the user’s screen, instilling a high level of psychological harm as it is doing system takeover. Users see what’s happening to their environment in real time — but are powerless to do anything to impede the attack.

This ransomware is highly efficient in what it does, although it doesn’t kill off analytics tools. In fact, ProcMon was able to save the entire capture from the encryption process. This is different from other ransomware strains that block installation or running of tools and programs as a countermeasure.

Another recent threat to the healthcare sector is HIVE, which began to make small waves since it first appeared in June of 2021. Just like Lockbit 2.0 and REvil it is a double extortion-based ransomware which relies heavily on the Cobalt Strike Beacon for C2 capabilities.

One interesting thing about the HIVE ransomware is the unrelenting fashion in which it is used to attack the medical industry, a practice which other APT groups have vehemently stated they are against for the reasons listed above

HIVE and Memorial Health System

HIVE was responsible for the attacks on Memorial Health System hospitals in the Ohio area in August and the FBI is now warning healthcare systems to prepare for similar attacks. As a part of the ransom process, HIVE drops a batch file called “Shadow.bat” which kills off all shadow copies then removes itself from the machine. This is designed to prevent system restoration. If your organization doesn’t have external backups, then you are reliant on the decryption utility to access your data.

This ransomware also employs the same psychological tricks that AvosLocker uses by making cyber teams watch the encryption of all their files live via a command window as it happens. However, unlike AvosLocker, it completely kills off running applications like ProcMon and other analysis utilities.

Complete Protection from HIVE Ransomware
While every healthcare organization has taken thorough steps to ensure their security stacks offer protection against malware and other threats, healthcare security professionals need to employ tools that can stop these known threats

Healthcare organizations must adopt a prevention-first mindset to have complete protection from the threat of ransomware. When lives are on the line, a breach is not an acceptable event.

Pictured below are the blocks of AvosLocker and HIVE as I dropped them on my secured VM.