Cyber Incident Victim: Hive
Date:
Mar 2022
Location:
United States of America
Summary
A ransomware group breached Sigmund Software, a subsidiary of VSS Medical Technology, maintaining unauthorized access for six months and exfiltrating 160 GB of data including source code, customer information, and financial records. Before deploying their own encryption, the attackers discovered another ransomware operation (Spy) had already encrypted the victim's files, leading to dual ransom demands totaling $1.25 million. The victim paid Spy $675,000 for decryption but refused Hive's $500,000 demand, prompting Hive to leak corporate data from multiple VSS-affiliated companies. While initial analysis of the dumped data primarily revealed tax documents and business records, samples contained personal information and protected health data, with potential for further exposure of sensitive materials. The attackers also claimed persistent network access via a backdoor.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On September 12, 2022, Hive ransomware actors contacted Sigmund Software, a subsidiary of VSS Medical Technology, claiming they had infiltrated the company’s systems over a six-month period. During this time, they exfiltrated 160 GB of files, including application source code (Aura, Aura Mobile App), prototypes, customer financial data (taxes, budgets, cash flows), customer passwords, and client private information (addresses, contacts). Hive encrypted a backup server as proof of access but reported that another ransomware group, Spy, had encrypted Sigmund’s primary files before they could execute their own encryption. Hive’s initial email disclosed they had implanted a backdoor to maintain persistent network access and threatened to release stolen data unless paid.
The following day (September 13), Hive learned Sigmund Software was negotiating exclusively with Spy, who demanded $750,000 for decryption. Hive countered by demanding $500,000 for their stolen data, warning that failure to pay would result in continuous network attacks every two weeks and the public exposure of customer data via emails and phone calls. Hive emphasized that Sigmund’s total ransom obligation would reach $1.25 million if both groups were paid. By mid-September, Sigmund paid Spy $675,000 for decryption keys, though the effectiveness of the decryption remained unconfirmed. Hive, unpaid, proceeded to leak exfiltrated data on September 20. The dump included files from multiple VSS Medical Technology subsidiaries (Sigmund Software, MedicFusion, New England Medical Billing) and primarily contained corporate documents, tax records, and financial data. A sample provided by Hive on September 13 confirmed the presence of personal and protected health information (PHI), though initial reviews of the full leak did not identify EHR databases or widespread PHI. The incident disrupted Sigmund’s operations, exposed sensitive customer and corporate data, and resulted in confirmed financial losses from the Spy ransom payment. No information was disclosed regarding Sigmund’s containment efforts, system restoration, or communications with affected customers.