Hive Ransomware Group

Threat Actor

Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network, according to the report.
After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, “HiveLeaks.”
Hive ransomware seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption, according to the report. The encrypted files commonly end with a .hive extension. The Hive ransomware then drops a hive.bat script into the directory, which enforces an execution timeout delay of one second in order to perform cleanup after the encryption is finished by deleting the Hive executable and the hive.bat script.

Incidents Associated with this Threat

December 8, 2022: Disney Toy Maker Extorted by Two Ransomware Gangs
October 18, 2022: Ransomware Attack at Landi Renzo, an Automotive Fuel Supply System Manufacturer in Italy
October 14, 2022: India’s Largest Integrated Power Company, Tata Power, Hit by Cyberattack
October 1, 2022: Louisiana Hospital Disclosed Hackers Accessed Systems
September 28, 2022: Italian Waste Management Service IT Systems Down after Ransomware Attack
August 20, 2022: Hive Ransomware Group Attacks Canadian Bell Technical Solutions (BTS)
August 15, 2022: Hive Ransomware Group Attacks International French Clothing Stores
July 27, 2022: Hive Ransomware Note Demands £500,000 from Wooton Upper School, UK
July 7, 2022: One of Australia’s Largest Prisons Caught up in Cyberattack.
June 30, 2022: Hive Ransomware Group Leaks NY Racing Assoc. Data
June 26, 2022: Apetito’s Security Systems Breached in Sophisticated Cyberattack
April 20, 2022: Unidentified Automotive Supplier Breached Three Times within Two Months
March 7, 2022: Romanian Gas Stations Affected by Suspected Ransomware Attack.
January 11, 2022: 300 GB of Sensitive Data Breached at Large Swiss Car Dealer
November 14, 2021: Supernus Pharma Hit in Ransomware Attack

Malware Used by this Threat Actor

No malware identified for this threat actor.