Threat Intelligence Tarot
pentacles · 3
Criminal (Eastern European)
G1008★★★★★
risk 4/5
✦ The Hospital Ward ✦
Hive
Hive ransomware group
HospitalsHealthcareSchoolsCritical infrastructure1,300+ victims
Active ~2021–2023 · Healthcare sector targeting, Ransomware-as-a-service, Victim negotiation and extortion
The Hospital Ward encrypts patient records, medical systems, and healthcare databases during a crisis, then demands payment measured in millions. It targeted hospitals knowing that healthcare organizations pay because patients die when systems go down. The FBI infiltrated it anyway, saved 130 million in ransom, and shut it down.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
Notable Operations
- ◆130+ million ransom demanded from 1,300+ victims
- ◆Costa Rica healthcare system attack disrupting patient care
- ◆FBI infiltration of Hive - decryption keys provided to 300+ victims (2022)
- ◆DOJ and Europol operation dismantled infrastructure (Jan 2023)
Defenses
- ▸Healthcare sector offline backups and manual procedure fallbacksHHS 405(d) guidance
- ▸RDP exposure elimination - no internet-facing RDPCIS Control 12 ↗
- ▸Patch management prioritization for healthcare systemsCIS Control 7 ↗
- ▸Incident response retainer with healthcare sector specializationNIST CSF: RS.RP ↗
Reversed: Their Weakness
Hive's takedown was a landmark: the FBI spent seven months inside Hive's infrastructure, silently providing decryption keys to victims before going public. The operation demonstrated that law enforcement infiltration of RaaS infrastructure is operationally feasible and strategically effective.
Share this adversary profile
swipe to browse
Related Adversaries
Data sourced from MITRE ATT&CK. For educational purposes.