Free Trial
|
Login
Free Trial
Login
Platform

Platform

I want to

report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases

Use Cases

Frameworks

Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research

RESEARCH

LEARNING

whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources

RESOURCES

LEARNING

Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company

COMPANY

PARTNERS

webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

Hive Ransomware Group

By Suleyman Ozarslan, PhD & Picus Labs   August 22, 2022   Ransomware

Hive ransomware group started their ransomware attacks in June 2021 and quickly drew the attention of law enforcement due to a wide range of target industries, most notably healthcare. Hive ransomware uses the Ransomware-as-a-Service model and double extortion method. If a victim fails to pay the ransom, Hive operators release the exfiltrated data on Hive’s Data Leak Sites (DLS). Hive has multiple ransomware variants affecting Windows, Linux, FreeBSD, and VMware ESXi. In recent variants, Hive ransomware switched from Go to Rust programming language.
Metadata

Associated Groups

Affiliates - DEV-0237

Associated Country

Russia

First Seen

June 2021

Target Sectors

Automotive, Construction, Education, Energy, Entertainment, Financial Services, Food and Beverage,Government, Hardware, Healthcare, Information Technology, Manufacturing, Real Estate, Retail, Transportation

Target Countries

United States, Argentina, Australia, Brazil, Canada, China, Colombia, El Salvador, France, Germany, India,Italy, Netherlands, Norway, Peru, Portugal, Saudi Arabia, Spain, Switzerland, Taiwan, Thailand, United Kingdom
Modus Operandi

Business Models

Ransomware-as-a-Service (RaaS)

Double Extortion

Resource Hijacking (Cryptocurrency Mining)

Extortion Tactics

File Encryption

Data Leakage

Initial Access Methods

Exploit Public-Facing Application

Phishing

External Remote Services

Impact Methods

Data Encryption

Data Exfiltration
Exploited Applications and Vulnerabilities by Hive

Application

Vulnerability

CVE

CVSS

Microsoft Exchange

ProxyShell RC

CVE-2021-34473

9.8 Critical

Microsoft Exchange

ProxyShell Privilege Escalation

CVE-2021-34523

9.8 Critical

Microsoft Exchange

ProxyShell Security Feature Bypass

CVE-2021-31207

7.2 High
Utilized Tools and Malware by Hive

MITRE ATT&CK Tactic

Tools

Execution

 

Cobalt Strike

PowerShell

PSExec

Windows Task Scheduler

WMI

Persistence

Windows Task Scheduler

Privilege Execution

Mimikatz

Defense Evasion

GMER

KillAV

PC Hunter

Credential Access

Redline Stealer

Discovery

TrojanSpy.DATASPY

Lateral Movement

BITSAdmin

Cobalt Strike

PSExec

RDP

WMI

Command and Control

BITSAdmin

Exflitration

7-zip

Anonfiles

Mega

Sendspace

Ufile.io

Impact

Hive ransomware

NBMiner cryptocurrency miner

  • [1]       K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).

  • [2]     S. Özarslan, “MITRE ATT&CK T1086 PowerShell.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1086-powershell (accessed Jul. 06, 2022).

  • [3]     “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (accessed Jul. 06, 2022).

  • [4]     S. Özarslan, “MITRE ATT&CK T1053 Scheduled Task.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-1053-scheduled-task (accessed Jul. 06, 2022).

  • [5]     “Windows Management Instrumentation.” [Online]. Available: https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page. [Accessed: Aug. 03, 2022]

  • [6]     “GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security,” GitHub. https://github.com/gentilkiwi/mimikatz (accessed Jul. 06, 2022).

  • [7]       “GMER - Rootkit Detector and Remover.” http://www.gmer.net (accessed Jul. 06, 2022).

  • [8]       F. Fkie, “KillAV (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.killav (accessed Jul. 06, 2022).

  • [9]     “PC Hunter,” Dec. 02, 2018. https://www.majorgeeks.com/files/details/pc_hunter.html (accessed Jul. 06, 2022).

  • [10]     F. Fkie, “RedLine Stealer (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer (accessed Jul. 06, 2022).

  • [11]       “TrojanSpy.PS1.DATASPY.A.” [Online]. Available: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojanspy.ps1.dataspy.a/. [Accessed: Aug. 03, 2022]

  • [12]     “bitsadmin | LOLBAS.” https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ (accessed Jul. 06, 2022).

  • [13]     Deland-Han, “Understanding Remote Desktop Protocol (RDP) - Windows Server.” [Online]. Available: https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/understanding-remote-desktop-protocol. [Accessed: Aug. 03, 2022]

  • [14]     “7-Zip.” https://www.7-zip.org (accessed Jul. 06, 2022).

  • [15]     “Anonymous File Upload.” https://anonfiles.com (accessed Jul. 06, 2022).

  • [16]     “MEGA.” https://mega.io/ (accessed Jul. 06, 2022).

  • [17]     “Free large file hosting. Send big files the easy way!” https://www.sendspace.com (accessed Jul. 06, 2022).

  • [18]     “Upload files for free.” https://ufile.io (accessed Jul. 06, 2022).

  • [19]     F. Fkie, “Hive (Malware Family).” https://malpedia.caad.fkie.fraunhofer.de/details/win.hive (accessed Jul. 06, 2022).

  • [20]     “GitHub - NebuTech/NBMiner: GPU Miner for ETH, RVN, BEAM, CFX, ZIL, AE, ERGO,” GitHub. https://github.com/NebuTech/NBMiner (accessed Jul. 06, 2022).

Related Content

August 22, 2022   •   Ransomware

Conti Ransomware Group

READ MORE

August 22, 2022   •   Ransomware

BlackCat Ransomware Gang

READ MORE

August 22, 2022   •   Ransomware

AvosLocker Ransomware Group

READ MORE

August 22, 2022   •   Ransomware

Black Basta Ransomware Gang

READ MORE
Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained
Emerging Threat

Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained

Learn More
Emerging Threat

Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign

Learn More
fortimanager
Emerging Threat

CVE-2024-47575: FortiManager Missing Authentication Zero-Day Vulnerability Explained

Learn More
cisa-alert-aa24-290a
Emerging Threat

Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A

Learn More
Emerging Threat

CISA Alert AA24-249A: Russian GRU Unit 29155 Targeting U.S. and Global Critical Infrastructure

Learn More
emerging-threat
Emerging Threat

CVE-2024-38063: Remote Kernel Exploitation via IPv6 in Windows

Learn More
RansomHub-Ransomware
Emerging Threat

RansomHub Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA24-242A

Learn More
pioneer-kitten-ransomware
Emerging Threat

Pioneer Kitten: Iranian Threat Actors Facilitate Ransomware Attacks Against U.S. Organizations

Learn More
north-korean-APT-group
Emerging Threat

Andariel: North Korean APT Group Targets Military and Nuclear Programs

Learn More