THREAT ACTOR: Hive Ransomware Group

Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network, according to the report.
After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks.”
Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption, according to the report. The encrypted files commonly end with a .hive extension. The Hive ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second in order to perform cleanup after the encryption is finished by deleting the Hive executable and the hive.bat script.

 

Incidents Associated with this Threat

  • July 27, 2022: Hive Ransomware Note Demands £500,000 from Wooton Upper School, UK
  • July 7, 2022: One of Australia’s Largest Prisons Caught up in Cyberattack.
  • June 26, 2022: Apetito’s Security Systems Breached in Sophisticated Cyberattack
  • November 14, 2021: Supernus Pharma Hit in Ransomware Attack

Malware Used by this Threat Actor

No malware identified for this threat actor.

Pin It on Pinterest

Scroll to Top