HackerFeeds
All ransomware groups

hive

208 tracked victims
·first seen 2021-08-14·last activity 2023-01-16

Group profile

Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe. In 2022 there was a switch from GoLang to Rust.

MITRE ATT&CK TTPs

TA0001

Initial Access

  • T1078Valid Accounts: Remote Desktop Protocol

    Compromised RDP credentials used for direct access to victim environments.

  • T1190Exploit Public-Facing Application

    Exploitation of Microsoft Exchange vulnerabilities (ProxyShell CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to gain initial access.

  • T1566.001Phishing: Spearphishing Attachment

    Hive affiliates use phishing emails with malicious attachments to deliver initial access malware.

TA0002

Execution

  • T1059.001Command and Scripting Interpreter: PowerShell

    PowerShell used to execute payloads, disable security tools, and delete backups.

  • T1059.003Command and Scripting Interpreter: Windows Command Shell

    cmd.exe used for executing batch scripts and commands during post-exploitation.

TA0005

Defense Evasion

  • T1070.001Indicator Removal: Clear Windows Event Logs

    Windows event logs cleared using wevtutil to remove evidence of the attack.

  • T1562.001Disable or Modify Tools

    Windows Defender and other AV/EDR solutions terminated and disabled prior to ransomware deployment.

TA0006

Credential Access

  • T1003.001OS Credential Dumping: LSASS Memory

    Mimikatz deployed to harvest credentials from LSASS memory for privilege escalation and lateral movement.

TA0007

Discovery

  • T1046Network Service Discovery

    Network scanning performed to enumerate active hosts and services for lateral movement targeting.

TA0008

Lateral Movement

  • T1021.001Remote Services: Remote Desktop Protocol

    RDP used for lateral movement across the victim network using harvested credentials.

  • T1021.002Remote Services: SMB/Windows Admin Shares

    SMB admin shares used to deploy the Hive ransomware payload to remote systems.

TA0010

Exfiltration

  • T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

    Rclone and other tools used to exfiltrate victim data to cloud storage for double extortion via the Hive leak site.

TA0011

Command and Control

  • T1219Remote Access Software

    Cobalt Strike beacons and remote management tools used for persistent C2 access.

TA0040

Impact

  • T1486Data Encrypted for Impact

    Hive originally used Go-based ransomware with RSA+AES encryption. Later variants (v4+) rewritten in Rust using Curve25519 and ChaCha20/Poly1305. Hive's master key was extracted by FBI researchers in 2022 enabling decryption of victim files. Operated as RaaS until FBI takedown January 2023.

  • T1490Inhibit System Recovery

    Shadow copies and system backups deleted to prevent recovery; backup processes terminated prior to encryption.

Recent victims

showing 50 of 208
DateWebsite / victimSectorCountry
2023-01-16
rcstevens.com
R C Stevens Constructionrcstevens.com/
Construction
2023-01-11
gwbcrane.com
G.W. Beckergwbcrane.com
Manufacturing
2023-01-06
consulatehc.com
Consulate Health Careconsulatehc.com
Healthcare
2022-12-31
cmvcaridad.com
Centro Médico Virgen De La Caridadcmvcaridad.com
Healthcare
2022-12-30
camstgroup.com
Camst Groupcamstgroup.com
Hospitality and Tourism
2022-12-22
mhmrabv.org
MHMR Authority Of Brazos Valleymhmrabv.org
Healthcare
2022-12-21
alvaria.com
Alvariaalvaria.com
TechnologyUS
2022-12-20
interface.com
Interfaceinterface.com
ManufacturingUS
2022-12-20
N
North Idaho College
Education
2022-12-20
I
Innovative Education Management
Education
2022-12-20
D
Dixons Allerton Academy
Education
2022-12-20
C
City Of Huntsville, Texas
Public Sector
2022-12-20
J
JAKKS Pacific Inc
Consumer Services
2022-12-20
S
Stolle Machinery
Manufacturing
2022-12-14
M
Mark-Taylor
Not Found
2022-12-14
E
Expand Group
Not Found
2022-12-10
K
KNOX College
Education
2022-12-06
I
INTERSPORT France
Consumer Services
2022-11-25
G
Guilford College
Education
2022-11-23
N
Norman Public Schools
Education
2022-11-15
H
Hydro-Gear & Agri-Fab
Manufacturing
2022-11-15
L
LCMH
Healthcare
2022-11-10
M
MCCROSSAN
Not Found
2022-11-08
A
APM Terminals
Transportation/Logistics
2022-11-07
T
TCQ
Not Found
2022-11-07
R
ROYAL GATEWAY CO., LTD
Not Found
2022-11-07
C
Cornwell Quality Tools
Manufacturing
2022-11-03
L
Landi Renzo
Manufacturing
2022-10-24
T
Tata Power
Energy
2022-10-09
M
Município De Loures
Public Sector
2022-09-30
M
Mansfield Independent School District (MISD)
Education
2022-09-27
S
Southwell, Inc.
Business Services
2022-09-27
H
Hendry Regional Medical Center
Healthcare
2022-09-27
J
JANMARINI
Not Found
2022-09-26
T
TAKAO-UK
Manufacturing
2022-09-26
G
GFG
Not Found
2022-09-26
T
TSMTU
Not Found
2022-09-21
B
BHARBERT
Business ServicesUS
2022-09-20
S
Sigmund Software
TechnologyUS
2022-09-19
N
New York Racing Association
Consumer ServicesUS
2022-09-15
B
Bell Technical Solutions
TelecommunicationCA
2022-09-15
F
FONTAINEBLEAU
Business ServicesUS
2022-09-06
C
California-Oregon Telecommunications Company
TelecommunicationUS
2022-09-02
E
Eurocell
ManufacturingGB
2022-08-31
N
NCG Medical
HealthcareUS
2022-08-25
A
Altice International
TelecommunicationNL
2022-08-24
B
Baton Rouge General
HealthcareUS
2022-08-19
R
Reiter Affiliated Companies
Agriculture and Food ProductionUS
2022-08-18
W
WOOTTON ACADEMY TRUST
Education
2022-08-14
T
TriState HVAC Equipment
ConstructionUS