Hive Ransomware Group

By Suleyman Ozarslan, PhD & Picus Labs   August 22, 2022   Ransomware

Hive ransomware group started their ransomware attacks in June 2021 and quickly drew the attention of law enforcement due to a wide range of target industries, most notably healthcare. Hive ransomware uses the Ransomware-as-a-Service model and double extortion method. If a victim fails to pay the ransom, Hive operators release the exfiltrated data on Hive’s Data Leak Sites (DLS). Hive has multiple ransomware variants affecting Windows, Linux, FreeBSD, and VMware ESXi. In recent variants, Hive ransomware switched from Go to Rust programming language.

Metadata

Associated Groups

Affiliates - DEV-0237

Associated Country

Russia

First Seen

June 2021

Target Sectors

Automotive, Construction, Education, Energy, Entertainment, Financial Services, Food and Beverage,Government, Hardware, Healthcare, Information Technology, Manufacturing, Real Estate, Retail, Transportation

Target Countries

United States, Argentina, Australia, Brazil, Canada, China, Colombia, El Salvador, France, Germany, India,Italy, Netherlands, Norway, Peru, Portugal, Saudi Arabia, Spain, Switzerland, Taiwan, Thailand, United Kingdom

Modus Operandi

Business Models

Ransomware-as-a-Service (RaaS)

Double Extortion

Resource Hijacking (Cryptocurrency Mining)

Extortion Tactics

File Encryption

Data Leakage

Initial Access Methods

Exploit Public-Facing Application

Phishing

External Remote Services

Impact Methods

Data Encryption

Data Exfiltration

Exploited Applications and Vulnerabilities by Hive

Application

Vulnerability

CVE

CVSS

Microsoft Exchange

ProxyShell RC

CVE-2021-34473

9.8 Critical

Microsoft Exchange

ProxyShell Privilege Escalation

CVE-2021-34523

9.8 Critical

Microsoft Exchange

ProxyShell Security Feature Bypass

CVE-2021-31207

7.2 High

Utilized Tools and Malware by Hive

MITRE ATT&CK Tactic

Tools

Execution

 

Cobalt Strike

PowerShell

PSExec

Windows Task Scheduler

WMI

Persistence

Windows Task Scheduler

Privilege Execution

Mimikatz

Defense Evasion

GMER

KillAV

PC Hunter

Credential Access

Redline Stealer

Discovery

TrojanSpy.DATASPY

Lateral Movement

BITSAdmin

Cobalt Strike

PSExec

RDP

WMI

Command and Control

BITSAdmin

Exflitration

7-zip

Anonfiles

Mega

Sendspace

Ufile.io

Impact

Hive ransomware

NBMiner cryptocurrency miner

  • [1]       K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).

  • [2]     S. Özarslan, “MITRE ATT&CK T1086 PowerShell.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1086-powershell (accessed Jul. 06, 2022).

  • [3]     “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (accessed Jul. 06, 2022).

  • [4]     S. Özarslan, “MITRE ATT&CK T1053 Scheduled Task.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-1053-scheduled-task (accessed Jul. 06, 2022).

  • [5]     “Windows Management Instrumentation.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page. [Accessed: Aug. 03, 2022]

  • [6]     “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).

  • [7]       “GMER - Rootkit Detector and Remover.” http://www.gmer.net (accessed Jul. 06, 2022).

  • [8]       F. Fkie, “KillAV (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.killav (accessed Jul. 06, 2022).

  • [9]     “PC Hunter,” Dec. 02, 2018. https://www.majorgeeks.com/files/details/pc_hunter.html (accessed Jul. 06, 2022).

  • [10]     F. Fkie, “RedLine Stealer (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer (accessed Jul. 06, 2022).

  • [11]       “TrojanSpy.PS1.DATASPY.A.” [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojanspy.ps1.dataspy.a/. [Accessed: Aug. 03, 2022]

  • [12]     “bitsadmin | LOLBAS.” https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ (accessed Jul. 06, 2022).

  • [13]     Deland-Han, “Understanding Remote Desktop Protocol (RDP) - Windows Server.” [Online]. Available: https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/understanding-remote-desktop-protocol. [Accessed: Aug. 03, 2022]

  • [14]     “7-Zip.” https://www.7-zip.org (accessed Jul. 06, 2022).

  • [15]     “Anonymous File Upload.” https://anonfiles.com (accessed Jul. 06, 2022).

  • [16]     “MEGA.” https://mega.io/ (accessed Jul. 06, 2022).

  • [17]     “Free large file hosting. Send big files the easy way!” https://www.sendspace.com (accessed Jul. 06, 2022).

  • [18]     “Upload files for free.” https://ufile.io (accessed Jul. 06, 2022).

  • [19]     F. Fkie, “Hive (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.hive (accessed Jul. 06, 2022).

  • [20]     “GitHub - NebuTech/NBMiner: GPU Miner for ETH, RVN, BEAM, CFX, ZIL, AE, ERGO,” GitHub. https://github.com/NebuTech/NBMiner (accessed Jul. 06, 2022).