Today, there is a ransomware attack against a healthcare facility, or healthcare conglomerate out in California, known as Partnership HealthPlan of California. They were attacked by the Hive ransomware group. This blog will explain who Hive is, how they did this, and what you can do to prevent Hive attacking your organization from a cyberattack. So, let's get into what you can do now to prevent this!
Hive ransomware group has been around for a little while, probably close to a year now. The FBI highlighted these guys back in July or so of 2021. The group now has hit another big organization; Partnership HealthPlan of California. It's a nonprofit that helps hundreds of thousands of people access healthcare in California. Although, the problem here is that the organization is one of the largest Medi-Cal managed care plan providers in Northern California, and it serves about 610,000 Medi-Cal beneficiaries in 14 California counties. So this is a pretty big organization that got attacked, and you can probably imagine the amount of data that they have.
If you are in the healthcare world and you're wondering does this violate HIPAA? It absolutely does. When criminal actors get access to your network, whether they deploy ransomware or not, is a reportable breach under HIPAA. Anytime anybody who's not supposed to have access to private health information and they get access to it is a reportable HIPAA action, and you need to report it to the proper authorities.
Many article experts say it’s unclear when the attack began, and Partnership HealthPlan of California is currently unable to respond to request for comment. But the local newspaper, The Press Democrat, was first to report it on March 24th, that the organization was facing technical issues.
In this situation, cyber experts are starting to see a lot more with ransomware attacks happen this way, especially when insurance companies are involved. Probably about a year ago, companies were coming out and basically telling you everything that was going on. They realized that this was a bad idea. Once, lawyers get involved and breach attorneys get more experience around this kind of stuff, companies just say that they're having technical difficulties and they don't really admit to a ransomware attack right away.
To get into the other side of things, this group, Hive, is out there leaking information on the dark web, or at least they were. There are reports that they removed it from their dark web leak site, probably because once the lawyers got involved and started negotiating, that was one of the stipulations so to speak is remove this and we'll negotiate. They claim they’ve stolen 400 gigabytes of data from this organization. The ransomware gang said it encrypted the organization systems on March 19th, but only added them to the leak site on March 29th.
So, wondering, how do they get into your network, and what can you look for with this group?
Well, you're typically going to see this group, they are ransomware as a service group. Basically, that means they find affiliates and work with affiliates who gain access to the networks. Hive has also been observed because once they have network access, they then try to what cyber experts call move laterally inside of the network. They're known to use a wide variety of techniques to do so.
Some techniques to compromise business networks is starting with phishing emails or malicious attachments through email to gain access, and then they like to use remote desktop protocol to move laterally once in the network. Now what does this mean?
It means you have to get protection on your email; filtering so you're not receiving this type of email. Also, if you do, you need to have a good security awareness training in place for your employees. This helps them to know how to react and respond and what to do with that email once they receive it, because they shouldn't be clicking on it and they shouldn't be opening things. They should be reporting it to their security officer if you're doing things properly.
Once email comes in, you don't have filtering on, it's very easy to get this stuff by and into your inbox if you don't have filtering. If you're not doing security and awareness training, somebody, even if you have filtering might click on an email that gets through, might click on an attachment. Once someone does that puts a dropper or a payload on the system, and that allows cyber criminals to install more tools.
Now at this point, you can have things that detect this kind of activity. It’s a little bit more sophisticated, takes a little bit more of an investment, and it takes somebody with some cybersecurity skills to know how to deploy and set that up in your network to see if something like that is going on. Cybercriminals are very good at hiding that activity. It takes really specialized tools that are set up the right way in order for somebody to successfully detect that type of activity but it's absolutely possible.
The other thing is that you need to make sure that you have your remote desktop protocol turned off completely because once the cyber criminals have this payload or dropper and then they start to install their tools, they like to get across the network in various different ways. One of the common things that cybersecurity experts see is businesses leave remote desktop protocol open or enabled on their computer systems.
Many businesses say, "No, we already took care of this." Well, there's two different things to consider. You have one where you have the firewall in place, where you're blocking traffic and you're not letting any remote desktop traffic come through. So cyber experts want to make sure that all remote desktops are disabled across the board no matter what. Cyber experts do this even if you have it blocked at the firewall and you're not allowing that type of remote access into your network because if you don't go and explicitly turn it off on your Windows machines, a lot of times by default, it can be just running and that allows a hacker to have enough access to the systems where they can enable it.
Altogether, you want to make sure that you have it disabled and preventative ways to make sure it doesn't get enabled very easily by somebody who doesn't have the proper access. Also, if it does get enabled, you won't have detection in place to be able to detect if a computer or a particular machine in your environment has remote desktop open. Thus, causing a criminal hacker to use the tool to move laterally and spread ransomware across your network. These are the ear markings of this high ransomware group. This is what they do.
The next thing that cyber experts see with Hive is once they get into the network, the first thing they go for, number one, is they go for your backups. They also go for your antivirus and your anti-spyware. These cyber criminals look for the processes that are known to run on the systems, and their software, their ransomware terminates them to facilitate the encryption.
So, think about this. If you're using an antivirus program and a criminal hacker gets access to your system and he just terminates that process, now there's some really good antivirus endpoint protection software that doesn’t allow those types of things to happen, but there's others that do. You can disable these things various different ways if you have the right level of access.
The other thing is that they look for your backups, they look for where those things are at and they look to destroy them. Then, once they deploy the ransomware, they encrypt the files. What cyber experts usually see is that it ends in a hive file. That's one of their earmarkers. They give you a how to decrypt. Meanwhile, they also will use their tour site, which is their dark website to start releasing information and making use of that as leverage so you pay the ransom. This isn't uncommon with ransomware groups, but this is one of their indicators of compromise. Most likely, you are probably already going to be on their dark web leak site before you even know you have a problem.
There's a ton of files that run in the FBI bulletin that went out that you can find out what they are, and you can set up monitoring inside your network for these types of files and make sure that you don't have anything like this ever running. Even if it does, it can get shut down. There's a lot of things that this group does. Hive ransomware group does have a ransomware note, which they will give you to go to a chat site where you have a login and password to get the negotiations going and start talking to these guys.
At the end of the day cybersecurity experts want to make sure that you’re doing things that are laid out in this blog, because no company wants to pay the ransom. So, if you’re doing all the things that Hive likes to take advantage of, and protecting those things from antivirus being easily disabled, having RDP ports shut down, making sure that your backups are segregated from the network so that if they are on a computer in your network, then they can't easily get to your backups. If you know what they're looking for, and you know how to segregate or separate or harden, it's a smarter play than not doing anything at all, because these guys will go for it once they get in. Then, Hive or any cybercriminal will make your recovery process a lot more painful and costly once they know that they have all this leverage over your head.
All in all, Partnership HealthPlan of California is under a ransomware attack by the Hive ransomware group. Pretty big deal. Xact IT Solutions hopes healthcare organizations out there start doing more around cybersecurity, along with all other businesses.