A ransomware group that counted an Albuquerque-based health care organization among its roughly 1,500 victims had its servers seized by the U.S. Department of Justice in cooperation with international law enforcement agencies.
In making the announcement on Thursday, Justice Department officials said the FBI infiltrated the Hive ransomware group in July, obtained decryption keys and offered them to victims across the world.
Those efforts prevented the ransomware group from obtaining more than $100 million from victims.
“In a 21st-century cyber stakeout, our investigative team turned the tables on Hive, swiping their decryption keys, passing them to victims, and ultimately averting more than $130 million in ransomware payments," Deputy Attorney General Lisa O. Monaco said in a prepared statement.
Hive claimed to have encrypted and exfiltrated data from Albuquerque-based First Choice Community Healthcare Inc. in late March. The ransomware claim bore an encryption date of March 28 andwas posted on the Hive website, which is accessible through Tor hidden services. Tor hidden services are essentially websites that can only be accessed using specific web browsers. Ransomware gangs and other malicious actors post their actions to these sites.
In the cybersecurity world, Hive is a particular flavor of ransomware and is billed as “Ransomware-as-a-Service.” Essentially, it’s developed by a group that offers to would-be “affiliates” — hackers and malicious actors — who use the ransomware and boast of their exploits in the same way a software provider would highlight its clients. Affiliates then identify targets and deploy malicious software to attack victims and earn a percentage of each ransom payment.
On March 27, 2022, a day before Hive posted its claim, First Choice Community Healthcare said it learned that unauthorized access to its systems may have revealed personal and protected health information, according to previous Albuquerque Business First reporting.
"The investigation subsequently revealed that certain personal and protected health information may have been accessed or acquired without authorization," a First Choice Community Healthcare statement posted on Aug. 1 read. "We then initiated a comprehensive review of the potentially impacted data to determine the types of personal and protected health information involved and identify the potentially impacted individuals."
The breach affected an estimated 101,541 people, according to data that First Choice Community Healthcare submitted to the Office for Civil Rights for the U.S. Department of Health and Human Services per federal law.
Weeks after First Choice Community Healthcare became aware of the incident, the U.S. Department of Health and Human Services issued an alert related to Hive, calling it an exceptionally aggressive, financially-motivated ransomware group known to maintain sophisticated capabilities who have historically targeted health care organizations frequently.
Then, in August, a hospital in Ohiohad to resort to using paper charts to treat patients following a ransomware attack attributed to Hive.
In announcing the takedown of Hive some 17 months after issuing a flash alert about the group, Justice Department officials said the FBI had provided more than 300 decryption keys to Hive victims who were under attack, and distributed more than 1,000 additional decryption keys to previous Hive victims since infiltrating the network in July 2022.
Those figures stuck out to Allan Liska, who works for the Massachusetts cybersecurity firm Recorded Future as an intelligence analyst and member of its computer security incident response team.
"That's at least 1,500 victims total in the 20 months they were active," Liska told Business First. "It shows the number of known victims is underreported."
Liska said Hive is not a "super high-end" group but is very skilled at targeting health care, financial services and manufacturing businesses.
"These kinds of takedowns are important. But it doesn't mean ransomware attacks are slowing down," he said. "Ransomware and business email compromise are still the most profitable kinds of cybercriminal activity."
In New Mexico in 2021, the FBI investigated 19 reports of ransomware, according to agency data. Nationally, between 2019 and 2021, the number of ransomware complaints reported to the Internet Crime Complaint Center increased by 82%.
As Liska alluded to, it’s likely the actual number of incidents was much higher.
The FBI's Albuquerque field office offers these tips to help guard against cybersecurity incidents and malicious actors.
- Develop an incident response plan and review it on a regular basis. The plan should include contacting the FBI in the event of an incident. The number for the Albuquerque field office is (505) 889-1300.
- Ensure you have offline backups of critical data and — if possible — encrypt your company's most sensitive information.
- If computers are compromised contact the FBI immediately.
- Set requirements for strong, complex employee passwords.
- Perform computer and system software upgrades in a timely fashion.
- Implement multi-factor authentication, which requires the user to provide a password and one other method of verification before gaining access to a computer or network.
- Monitor industry alerts issued by the Internet Crime Complaint Center.
