Hive

Malware updated 6 hours ago (2024-11-21T10:31:57.815Z)

Download STIX

Preview STIX

Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostage for ransom. A particularly insidious feature of Hive is its ability to exfiltrate NTDS.dit and SYSTEM registry hive files, which contain the NTLM hash of local machine users and all domain users respectively. This allows attackers to crack passwords offline. The encryption procedure used by Hive is unique to each infected machine, necessitating the preservation of additional information such as registry hive and hostname for smooth decryption. The Hive Ransomware operation has been targeted by various entities. Notably, Hunters International Cyberattackers managed to take over the Hive Ransomware operation. Moreover, a screenshot of a Tor site for Hive ransomware was seized by the FBI. Despite these efforts, new groups like Embargo continue to develop ransomware payloads following in the footsteps of predecessors like BlackCat and Hive. In a significant development, the Hive Ransomware operation was eventually shut down by law enforcement, as reported by Security Week. This followed a series of investigations and actions by cybersecurity agencies, including the U.S. Cybersecurity & Infrastructure Security Agency (CISA), which issued advisories about Hive ransomware. While the shutdown represents a major victory against this particular threat, the ongoing evolution of ransomware tactics underscores the need for continued vigilance and advanced cybersecurity measures.

Description last updated: 2024-11-21T10:28:52.439Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Hive Ransomware is a possible alias for Hive. Hive ransomware, a prominent threat actor active in 2022, was known for its widespread malicious activities in numerous countries, including the US. The group's modus operandi involved the use of SharpRhino, which upon execution, established persistence and provided remote access to the attackers, e	10
Hunters International is a possible alias for Hive. Hunters International, an active threat actor group since October of the previous year, has been identified as a significant cybersecurity concern. The group has taken over and rebranded the Hive ransomware, despite their disputes about this association. This development followed the disbandment of	5
AvosLocker is a possible alias for Hive. AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal info	4
Akira is a possible alias for Hive. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims glo	3
Volt Typhoon is a possible alias for Hive. Volt Typhoon, a cyberespionage cluster sponsored by China, has emerged as a significant threat actor in the cybersecurity landscape. Known for its strong operational security and obfuscation of malware, Volt Typhoon is both a resilient botnet and a warning signal of potential critical infrastructure	2
Royal Ransomware is a possible alias for Hive. Royal Ransomware is a form of malware that was active from September 2022 through June 2023. This malicious software, designed to exploit and damage computers or devices, would infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it could stea	2
Zeon is a possible alias for Hive. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Malware

Windows

Ransom

Encryption

RaaS

Linux

Vulnerability

Extortion

Fbi

Cybercrime

Esxi

Loader

Bitcoin

Payload

Infiltration

Exploit

Phishing

Locker

Rust

Apt

Antivirus

Source

t1566.001

Encrypt

T1133

Exploits

T1112

T1190

T1537

Malware Loader

Botnet

exploitation

Government

Rat

Azure

Spyware

Vpn

Fortios

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Conti Malware is associated with Hive. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	Unspecified	7
The Babuk Malware is associated with Hive. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatio	Unspecified	5
The REvil Malware is associated with Hive. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th	Unspecified	5
The Black Basta Malware is associated with Hive. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	is related to	4
The Hive Ransomware Gang Malware is associated with Hive. The Hive ransomware gang, a malicious group known for exploiting and damaging computer systems through harmful software, was significantly disrupted by the Federal Bureau of Investigation (FBI) in a series of operations. Six months ago, according to the US Department of Justice (DOJ), the FBI infilt	Unspecified	4
The LockerGoga Malware is associated with Hive. LockerGoga is a type of malware, specifically ransomware, that infiltrates computer systems and holds data hostage until a ransom is paid. This malicious software was notably deployed in an attack against Norsk Hydro in March 2019. The malware was distributed by the threat group FIN6, which traditio	Unspecified	4
The MegaCortex Malware is associated with Hive. MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industria	Unspecified	4
The Clop Malware is associated with Hive. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	3
The Ragnar Locker Malware is associated with Hive. Ragnar Locker is a type of malware, specifically ransomware, known for its destructive impact on computer systems. It infiltrates systems primarily through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for rans	Unspecified	3
The HELLOKITTY Malware is associated with Hive. HelloKitty is a malicious software (malware) that has been designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold dat	Unspecified	3
The TrickBot Malware is associated with Hive. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,	Unspecified	3
The QakBot Malware is associated with Hive. Qakbot is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, or hold data for ransom. Built by d	Unspecified	3
The Blackbasta Malware is associated with Hive. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relation	Unspecified	3
The Karakurt Malware is associated with Hive. Karakurt is a malicious software (malware) that has been linked to significant data extortion activities. The malware is affiliated with the notorious Conti cybercrime syndicate and ITG23, which are known for their disruptive operations, including data theft and ransom demands. In 2023, there was a	Unspecified	3
The Bumblebee Malware is associated with Hive. Bumblebee is a type of malware that has been linked to ITG23, a cyber threat group. Over the past year, it has been used in conjunction with other initial access malwares such as Emotet, IcedID, Qakbot, and Gozi during ITG23 attacks. The same values for self-signed certificates seen in Bumblebee hav	Unspecified	2
The Hunters Malware is associated with Hive. Malware hunters, often referred to as bug hunters, play a critical role in cybersecurity by identifying and addressing vulnerabilities in software systems. In 2023, these professionals proved their worth at the Pwn2Own Toronto event where they identified 58 unique zero-day vulnerabilities, earning a	Unspecified	2
The Ryuk Malware is associated with Hive. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves	Unspecified	2
The Emotet Malware is associated with Hive. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations,	Unspecified	2
The Avaddon Malware is associated with Hive. Avaddon is a type of malware, specifically ransomware, designed to exploit and damage computer systems. It was notable for its compatibility with older systems such as Windows XP and Windows 2003, distinguishing it from other ransomware like Darkside and Babuk which targeted more modern systems like	Unspecified	2
The Nokoyawa Malware is associated with Hive. Nokoyawa is a prominent malware, specifically ransomware, that has been linked to numerous cybercrime activities since it first emerged in 2022. It has been associated with various other malware families including Quantum, Royal, BlackBasta, and a variety of others such as Emotet, IcedID, CobaltStri	is related to	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Blackmatter Threat Actor is associated with Hive. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. Howeve	Unspecified	4
The DarkSide Threat Actor is associated with Hive. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply across	Unspecified	3
The Vice Society Threat Actor is associated with Hive. Vice Society, a threat actor or hacking team with malicious intent, has been active since 2022 and has made significant waves in the cybersecurity world. The group is known for deploying various forms of ransomware, including BlackCat, Quantum Locker, Zeppelin, and their own branded variant of Zeppe	Unspecified	3
The Bl00dy Threat Actor is associated with Hive. Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant i	Unspecified	2
The Mikhail Pavlovich Matveev Threat Actor is associated with Hive. Mikhail Pavlovich Matveev, a Russian national also known by online monikers Wazawaka, m1x, Boriselcin, and Uhodiransomwar, has been identified as a major threat actor in the world of cybersecurity. Matveev is among five Russians charged in connection with Lockbit, a group widely recognized as one of	Unspecified	2
The Qilin Threat Actor is associated with Hive. Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to	Unspecified	2
The Wazawaka Threat Actor is associated with Hive. Wazawaka, identified by the FBI as Mikhail Matveev, is a significant threat actor in the cybercrime landscape. Known for his affiliations with multiple ransomware groups, including LockBit, throughout 2020 and 2021, he became a central figure in the Babuk ransomware-as-a-service gang. Matveev's oper	Unspecified	2
The Boriselcin Threat Actor is associated with Hive. Mikhail Pavlovich Matveev, also known as Boriselcin, is a threat actor that has been implicated in significant cybercrime activities. Beginning at least as early as 2020, Matveev has been allegedly involved in deploying three ransomware variants: LockBit, Babuk, and Hive. These attacks targeted vari	Unspecified	2
The Uhodiransomwar Threat Actor is associated with Hive. Uhodiransomwar, also known as Mikhail Pavlovich Matveev, Wazawaka, m1x, and Boriselcin, is a significant threat actor in the cybersecurity landscape. A Russian national aged 30, Matveev has been implicated in a series of malicious cyber activities since at least 2020. He is alleged to have participa	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The vulnerability CVE-2021-34523 is associated with Hive.	Unspecified	2
The vulnerability CVE-2020-12812 is associated with Hive.	Unspecified	2
The CVE-2021-31207 Vulnerability is associated with Hive. CVE-2021-31207 is a significant software vulnerability that has been exploited by APT40, a group known for rapidly taking advantage of newly public vulnerabilities in widely used software. This particular vulnerability affects Atlassian Confluence and Microsoft Exchange, among other platforms, and a	Unspecified	2
The vulnerability CVE-2021-42321 is associated with Hive.	Unspecified	2
The CVE-2021-34473 Vulnerability is associated with Hive. CVE-2021-34473 is a significant software vulnerability that was discovered in Microsoft Exchange Server. This flaw, along with two others (CVE-2021-31207 and CVE-2021-34523), forms a chain of vulnerabilities known as ProxyShell. These vulnerabilities can be exploited together by remote attackers to	Unspecified	2

Source Document References

Information about the Hive Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Trend Micro	8 hours ago	Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
ESET	23 days ago	Embargo ransomware: Rock’n’Rust
Securelist	a month ago	Kernel shellcode persistence technique in APT attacks and SAS CTF challenge
Securelist	a month ago	Analyzing the familiar tools used by the Crypt Ghouls hacktivists
BankInfoSecurity	2 months ago	US DOJ Unveils New Strategic Approach to Counter Cybercrime
Securelist	3 months ago	Evolution of Mallox: from private ransomware to RaaS
DARKReading	3 months ago	Hunters International Masks SharpRhino RAT as Legit Network Admin Tool
DARKReading	a year ago	Feds Snarl ALPHV/BlackCat Ransomware Operation
DARKReading	9 months ago	US Govt. Offers Millions in Bounties to Find Hive Ransomware Actors
DARKReading	7 months ago	Global Cybercriminal Duo Face Imprisonment After Hive RAT Scheme
CISA	4 months ago	North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs \| CISA
Unit42	4 months ago	From RA Group to RA World: Evolution of a Ransomware Group
Securityaffairs	4 months ago	Russian nationals plead guilty to participating in the LockBit ransomware group
Securityaffairs	4 months ago	Russian nationals plead guilty to participating in the LockBit ransomware group
BankInfoSecurity	5 months ago	Breach Roundup: Phishing Platform ONNX Targets Microsoft 365
InfoSecurity-magazine	5 months ago	LockBit Most Prominent Ransomware Actor in May 2024
DARKReading	5 months ago	DataBee Launches Innovations for Enhanced Threat Monitoring and Zero Trust Implementation
DARKReading	6 months ago	Critical Netflix Genie Bug Opens Big Data Orchestration to RCE
Securelist	6 months ago	Kaspersky Anti-Ransomware Day report 2024
InfoSecurity-magazine	7 months ago	LockBit, Black Basta, Play Dominate Ransomware in Q1 2024