FBI disrupts Hive ransomware: Hospitals among those spared

The bureau, with an array of allied agencies composing the International Ransomware Taskforce, shielded more than 300 victims and prevented attacks valued at $130 million.

Beginning this past July, the Federal Bureau of Investigation – with the assistance of overseas law enforcement agencies from Canada to Lithuania and victimized asset operators across various sectors – seized the servers and websites of the Hive ransomware network, FBI Director Christopher Wray annonced on Thursday. 

The disruption makes hospitals safer against high-impact ransomware attacks, says the American Hospital Association.

Hive networks seized

The U.S. Attorney General Merrick Garland said yesterday that on the evening of January 25, a months-long investigation led to the seizure of Hive's websites and servers. 

The FBI first gained access to Hive’s computer networks, then captured its decryption keys and offered them to victims worldwide, according to the U.S. Department of Justice announcement.

Working with international partners, Hive's websites and communication networks have also been seized. 

Director Wray said the cooperative investigation "cut off the gas that was fueling Hive’s fire" and "crippled Hive's ability to sting again," in a statement posted to the FBI's website.

Though none have been made yet, the DOJ said it is pursuing arrests for crimes by the Russia-linked organization.

A win for patient safety

The Cybersecurity and Infrastructure Security Agency said in a November National Cyber Awareness System alert that threat actors using Hive ransomware victimized more than 1,300 companies worldwide since June 2021, yielding about $100 million in ransom payments. 

By April 2022, the Health Sector Cybersecurity Coordination Center warned those deploying Hive ransomware had an  aggressive appetite for targeting healthcare organizations. 

While recommending adherence to standard cyber defense practices, HC3 acknowledged that their tactics, techniques and procedures were difficult to defend against.

Dismantling HIVE ransomware "will help make hospitals safer against high impact ransomware attacks, which have disrupted healthcare delivery and jeopardized patient safety," according to John Riggi, AHA’s national advisor for cybersecurity and risk.

Empowering healthcare cyberattack victims

Exchange and coordination is what healthcare and healthcare IT leaders in both the public and private sector cannot stress enough.  

"As U.S. Attorney General Garland stated, this coordinated international law enforcement action was assisted with victim cooperation – including hospitals – and through the robust exchange of cyber threat information exchange with the private sector," Riggi told Healthcare IT News by email.

Empowering healthcare organizations to look to and actively work with federal investigators, competitors and others is a hurdle addressed in public and private discussions. The AHA encourages hospitals and other healthcare ransomware targets to step up and share information, and the FBI asks them to reach out when they are attacked. 

Members of the FBI have also assured the agency is not going to re-victimize an organization that calls when hit with a cyberattack. 

"We are definitely not showing up in FBI raincoats because that would victimize the victim," William McDermott, FBI special agent, told attendees of the 2022 HIMSS Cybersecurity Conference in December. 

He also said while they are providing support, FBI cybersecurity investigators will not fish around provider networks to search for compliance violations. He noted that the FBI has prevented healthcare cyberattacks, like those on Bulter County Health Care Center  in David City, Nebraska and Boston Children`s Hospital.

A successful government offense

 

He also said a warrant affidavit indicated Hive's "back-end server was stored at a Los Angeles provider," and included an image of a partially redacted document.

"The Justice Department will spare no resource to identify and bring to justice anyone, anywhere, who targets the United States with a ransomware attack," Garland said. 

Since it hacked Hive, the FBI has provided more than 300 decryption keys to victims under attack and more than 1,000 to previous victims.

"We will continue to work both to prevent these attacks and to provide support to victims who have been targeted. And together with our international partners, we will continue to disrupt the criminal networks that deploy these attacks,” Garland assured.

AHA is a staunch advocate for prioritizing ransomware attacks against hospitals as threat to life crimes and utilizing federal capabilities to dismantle ransomware organizations. 

"For the past several years we have publicly and privately advocated for implementation of this strategy. To not just raise awareness of the seriousness of these attacks on our hospitals and health care providers but also to prevent them from happening," said Riggi.

"The AHA is proud to partner with all federal law enforcement, healthcare and national security agencies to facilitate and amplify the rapid and effective exchange of cyber threat information with the field – to help defend and protect healthcare providers and patients against these cyber threats," he added.

Commenting by email Tom Kellermann, senior vice president of cyber strategy application security and development operations provider Contrast Security called the cooperation that turned the tables on Hive historic. 

"The International Ransomware taskforce is having an impact," he said.