Hive is a new & potentially devastating type of ransomware. Here’s what you need to know.


This summer, a new type of ransomware emerged serving as a reminder that the world of cybercrime is continually evolving even during a once-in-a-century health crisis.

Called Hive, the ransomware uses several mechanisms to compromise business networks. The Federal Bureau of Investigation issued an alert about the ransomware last month after it was linked to a cyberattack at Marietta, Ohio-based Memorial Health System. The attack shut down computer systems at the health system, resulting in surgeries and radiology exams being canceled.

So, what exactly is Hive ransomware?

“Hive is… a progression of the ransomware concept,” said Ben Denkers, executive vice president of strategy and operations at cybersecurity consulting firm Cynergistek.

Hive is particularly damaging because it employs a multipronged attack approach, rather than a shotgun approach. In most ransomware cases, the first, and at times only, step is to lock up data files, but with Hive, that is the last thing that happens, Denkers explained in a phone interview.

Instead, the cybercrime group behind the Hive ransomware attacks initially stays incognito and spends time understanding the IT environment. This involves examining backup processes and the safeguards in place. They then terminate these defensive processes so the organization cannot recover easily from the attack.

The group then attempts to gain a foothold in the organization’s IT system, Denkers said. Strategies to do this can include sending phishing emails with malicious attachments and targeting remote desktop protocols, that is, technical standards for using a desktop computer remotely.

Once they have gained a pathway into an organization’s IT systems, the group deploying Hive looks for sensitive information to encrypt and leverage for ransom.

Hive functions similarly to other types of ransomware, like Ryuk, once it is installed, but there is at least one key difference that could make it a more sophisticated enemy.

Hive is driven by a human operator, Denkers said. While other types of ransomware are largely automated, there is a human behind the keyboard during a Hive attack, making determinations.

“That’s what makes [the outcome of a Hive attack] potentially devastating,” he said.

Hive ransomware was first observed in June. Since then, the group behind the ransomware has listed 28 organizations on their website as their victims, including two that are U.S. based, said Jeff Buss, CIO of healthcare consultancy Nordic Consulting.

“They are indiscriminate, in other words, they don’t have a filter saying we’re just going to go after banking or we’re just going to go after airlines,” Buss said in a phone interview. “Which is not good for the healthcare system.”

But there is some good news. Protecting against Hive does not involve implementing all new cybersecurity processes — rather it involves doubling down on existing efforts.

These include auditing asset and ID inventory and making sure you know who has access to your data and why; backing up critical data in the cloud or an external hard drive that is encrypted; and using two-factor authentication with strong passwords, Buss said.

“Really it boils down to good cyber hygiene,” he added. “Going back to the basics.”

Both Buss and Cynergistek’s Denkers believe that there will be an uptick in Hive ransomware attacks, but Jeremy Kennelly, senior manager at cybersecurity firm Mandiant Threat Intelligence, is not so sure.

“There are many ransomware families in active distribution and some of those — such as Hive — are offered as part of a profit-sharing affiliate program where the service operators and intruders deploying ransomware share successful ransom payments,” Kennelly said in an email.  “Criminals deploying ransomware can align themselves with different services simultaneously or over time.”

Kennelly believes that Hive ransomware, in particular, is not likely to explode in popularity because the ransomware ecosystem is highly competitive. Cybercriminals may not necessarily stick to Hive alone, but use other types of ransomware or develop new ones that could boost ransom payments even higher.

Still, the competitive nature of the ransomware arena should give health systems pause, as this means the type of attacks they experience are likely going to evolve and become more sophisticated. This makes it all the more important for facilities to be prepared for Hive and the next type of ransomware to appear.

Photo: traffic_analyzer, Getty Images