Hive ransomware began operations in June 2021 and quickly drew law enforcement attention by striking a wide range of sectors, with healthcare among the most impacted. The group runs a Ransomware as a Service programme, recruiting affiliates to conduct intrusions at scale. Hive uses double extortion, stealing sensitive data before encryption to maximise leverage. When victims refuse to pay, operators publish exfiltrated files on Hive’s data leak sites to pressure organisations and damage reputations. The operation maintains multiple ransomware builds that target Windows, Linux, FreeBSD, and VMware ESXi, enabling cross platform impact in mixed enterprise environments.
Affiliates typically gain initial access through phishing, stolen credentials, exposed remote services, or exploitation of known vulnerabilities. Once inside, they perform discovery, move laterally, and escalate privileges using common admin tools and living off the land techniques. Backups and shadow copies are often disabled or removed to hinder recovery, and large data sets are exfiltrated prior to encryption to support the leak site pressure. Notably, recent Hive variants shifted from Go to Rust, a change that improves code safety, complicates analysis, and can help evade some detections. Defenders can reduce risk by enforcing multi factor authentication, hardening and monitoring remote access, rapidly patching internet facing systems, segmenting critical assets, and continuously validating detection and response controls against real attacker techniques to identify and close gaps before an affiliate can weaponise them.