Hive

Malware Profile Updated 9 days ago
Download STIX
Preview STIX
Hive, a form of malware, has been causing significant disruptions in the cybersecurity world. The malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. Notably, Volt Typhoon has exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. Hive's operations have also included "hostage trading" of data between groups, with victims who paid for data deletion seeing their names later appear on the leak site of Hunters International, a reboot or rebrand of Hive. In 2023, international law enforcement agencies seized infrastructures of several ransomware groups including Hive, BlackCat, and Ragnar. This was followed by Operation Cronos in early 2024, which disrupted Lockbit and accessed their decryption keys. By May 2024, the leader of the group was unmasked and sanctioned. These efforts have made ransomware maintenance more expensive and shortened their income by decrypting their victims for free. However, these groups are expected to change their methods of sharing and storing decryption keys to prevent future seizures. A Southern California man named Chakhmakhchyan, also known as "Corruption," was arrested on federal charges alleging he schemed to advertise and sell 'Hive' computer intrusion malware. According to the indictment, Chakhmakhchyan had been working with the creator of the Hive RAT (remote access trojan), previously known as “Firebird,” for about four years. He advertised online the RAT’s many features that allowed the owner to remotely access victim computers and intercept communications and data without the victim knowing. When informed that a target had significant cryptocurrency and project files, Chakhmakhchyan agreed to sell the Hive RAT. Despite pleading not guilty to two charges, his arrest marks a significant step in combating the spread of this destructive malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Alphv
12
Alphv, also known as BlackCat, is a notorious threat actor that emerged in December 2021. The group has been responsible for numerous high-profile cyberattacks, including those against Clarion, a global manufacturer of audio and video equipment for cars; Morrison Community Hospital, from which they
Hive Ransomware
10
Hive ransomware, a notorious threat actor, emerged as one of the most prolific groups in 2022, executing a series of cyberattacks with malicious intent. This group was responsible for numerous ransomware attacks, causing significant disruptions and damage across various sectors. However, in January
Hunters International
5
Hunters International, a threat actor group in the cybersecurity realm, has recently gained notoriety for its malicious activities. The group is believed to have taken over Hive Ransomware, a notorious malware used for cyberattacks, after Hive's takedown in 2023. Despite disputes from Hunters Intern
AvosLocker
4
AvosLocker is a type of malware, specifically ransomware, that poses significant threats to computer systems and networks. Ransomware is a malicious software designed to block access to a computer system until a sum of money is paid. AvosLocker infiltrates systems through suspicious downloads, email
Akira
3
Akira is a notorious malware, specifically a ransomware, that has been causing significant damage and disruptions across various industries. It operates by infiltrating systems often without the user's knowledge, stealing sensitive information, and holding data hostage for ransom. Over time, Akira h
Zeon
2
Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
Volt Typhoon
2
Volt Typhoon, a threat actor associated with the Chinese government, has emerged as a significant cybersecurity concern. Known for their strong operational security and use of obfuscation techniques to hide their malware, this group has successfully compromised organizations across various sectors s
Royal Ransomware
2
Royal Ransomware, a harmful malware created by former members of the Conti group, was involved in multiple high-profile attacks against critical infrastructure. Its operations were characterized by multi-threaded encryption and it often left a ransom note after infecting systems. Notably, the Royal
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Windows
Ransom
RaaS
Linux
Extortion
Cybercrime
Fbi
Vulnerability
Encryption
Infiltration
Esxi
Loader
Payload
Phishing
Locker
Bitcoin
Rust
Apt
Vpn
t1566.001
Exploit
T1133
Encrypt
T1112
T1190
T1537
Botnet
Malware Loader
Antivirus
Fortios
exploitation
Government
Rat
Azure
Spyware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockbitUnspecified
12
LockBit is a malicious software (malware) that has been implicated in several high-profile cyber attacks. It infiltrates systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. Recently, the L
ContiUnspecified
7
Conti is a malware program known for its disruptive capabilities, including stealing personal information and holding data hostage for ransom. It gained notoriety as part of the arsenal of ITG23, a cybercrime group that used it in conjunction with other malicious software like Trickbot, BazarLoader,
REvilUnspecified
5
REvil, a Russia-based group, was a prominent player in the Ransomware as a Service (RaaS) model that gained traction through 2020. The group was notorious for its high-profile attacks on critical infrastructure entities in the US between 2019 and 2021. REvil's modus operandi involved hacking into vi
BabukUnspecified
5
Babuk is a type of malware, specifically ransomware, that has been used to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Recently, there has been an in
Hive Ransomware GangUnspecified
4
The Hive ransomware gang, a malicious group known for exploiting and damaging computer systems through harmful software, was significantly disrupted by the Federal Bureau of Investigation (FBI) in a series of operations. Six months ago, according to the US Department of Justice (DOJ), the FBI infilt
LockerGogaUnspecified
4
LockerGoga is a type of malware, specifically ransomware, known for its disruptive capabilities. It was notably deployed at Norsk Hydro in March 2019, causing significant operational disruption. LockerGoga differentiates itself from other types of ransomware such as EKANS due to its destructive natu
MegaCortexUnspecified
4
MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industria
Black Bastais related to
4
Black Basta is a prolific malware, specifically a Ransomware-as-a-Service (RaaS) operator, originating from Russia. It is believed to be an offshoot of the notorious Conti ransomware group, which ceased operations just prior to Black Basta's emergence. The malware uses popular initial access techniq
ClopUnspecified
3
Clop is a type of malware, specifically a ransomware, known for its destructive capabilities in exploiting and damaging computer systems. It can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the potential to steal personal inform
Ragnar LockerUnspecified
3
Ragnar Locker is a type of malware, specifically ransomware, that infiltrates computer systems to steal sensitive information and disrupt operations. The malicious software can be introduced into systems via suspicious downloads, emails, or websites. Once inside, it can cause significant damage by s
HELLOKITTYUnspecified
3
HelloKitty is a malicious software (malware) that has been designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold dat
TrickBotUnspecified
3
TrickBot is a notorious malware that has been linked to numerous cybercrimes. This malicious software, designed to exploit and damage computers or devices, can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal informat
QakBotUnspecified
3
Qakbot is a type of malware, or malicious software, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. Qakbot is among several malware families buil
BlackbastaUnspecified
3
BlackBasta is a notorious malware group known for its ransomware attacks, which began in April 2022. The group primarily used SharpDepositorCrypter as the main loader for their ransomware throughout most of 2022. In addition to BlackBasta Ransomware, they have also utilized other malicious software
KarakurtUnspecified
3
Karakurt is a notorious malware and data extortion group, previously affiliated with ITG23, known for its sophisticated tactics, techniques, and procedures (TTPs). The group's operations involve stealing sensitive data from compromised systems and demanding ransoms ranging from $25,000 to a staggeri
RyukUnspecified
2
Ryuk is a type of malware, specifically ransomware, that has been used extensively by the group ITG23. The group has been encrypting their malware for several years, using crypters with malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware investigations were linked to
BumblebeeUnspecified
2
Bumblebee is a malicious software (malware) that was first identified in March 2022 and has been utilized by various cybercriminal groups as an initial access loader to deliver different payloads, including infostealers, banking Trojans, and post-compromise tools. The malware infects systems through
AvaddonUnspecified
2
Avaddon is a type of malware, specifically ransomware, designed to exploit and damage computer systems. It was notable for its compatibility with older systems such as Windows XP and Windows 2003, distinguishing it from other ransomware like Darkside and Babuk which targeted more modern systems like
EmotetUnspecified
2
Emotet is a notorious malware, designed to infiltrate systems and cause significant harm. It operates by exploiting vulnerabilities in your computer or device, often through suspicious downloads, emails, or websites, and can steal personal information, disrupt operations, or hold data hostage for ra
Nokoyawais related to
2
Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BlackmatterUnspecified
4
BlackMatter, a threat actor known for its malicious activities in the cybersecurity landscape, emerged as a variant of the notorious "DarkSide" ransomware. In May 2021, after launching an attack on Colonial Pipeline, the group rebranded itself from DarkSide to BlackMatter. However, due to increased
DarkSideUnspecified
3
DarkSide is a notorious threat actor that has been associated with significant cyber attacks, most notably the ransomware attack on the US Colonial Pipeline in 2021. This group was known for its adoption of the ransomware-as-a-service (RaaS) model and had reportedly netted over $90 million in Bitcoi
Vice SocietyUnspecified
3
Vice Society, a threat actor known for its malicious cyber activities, has been identified as a significant player in the deployment of ransomware attacks. Notably active from 2022 through May 2023, Vice Society executed multi-extortion strategies, targeting various sectors including education and h
UhodiransomwarUnspecified
2
Uhodiransomwar, also known as Mikhail Pavlovich Matveev, Wazawaka, m1x, and Boriselcin, is a threat actor who has been active since at least 2020. Matveev, a 30-year-old Russian national, is alleged to have participated in conspiracies to deploy three ransomware variants: LockBit, Babuk, and Hive. T
Bl00dyUnspecified
2
Bl00dy is a malicious threat actor known for its involvement in various cyber-attacks, often operating alongside other threat groups like Black Basta. This group has been linked to the exploitation of recent vulnerabilities in ConnectWise ScreenConnect, a widely used remote management and monitoring
QilinUnspecified
2
Qilin, also known as Agenda and Water Galura, is a notable threat actor that has been active since 2022. The group operates through ransomware-as-a-service (RaaS), providing malicious software to affiliates who then carry out attacks on various targets. Qilin has been linked to a number of high-prof
Mikhail Pavlovich MatveevUnspecified
2
Mikhail Pavlovich Matveev, a Russian national also known by the online monikers Wazawaka, m1x, Boriselcin, and Uhodiransomwar, is identified as a significant threat actor in the cybersecurity landscape. He is one of five Russians charged over their involvement with Lockbit, a group regarded as the w
WazawakaUnspecified
2
Wazawaka, identified by the FBI as Mikhail Matveev, is a prominent threat actor in the cybercrime underworld with previous affiliations to LockBit ransomware groups. Throughout 2020 and 2021, he functioned as an affiliate for multiple ransomware organizations, including LockBit. In January 2022, Kre
BoriselcinUnspecified
2
Mikhail Pavlovich Matveev, also known as Boriselcin, is a threat actor that has been implicated in significant cybercrime activities. Beginning at least as early as 2020, Matveev has been allegedly involved in deploying three ransomware variants: LockBit, Babuk, and Hive. These attacks targeted vari
SnakeUnspecified
2
Snake, also known as Turla or EKANS, is a significant threat actor that has been active since at least 2004 and possibly as far back as the late 1990s. This cybercrime group possesses an extensive arsenal of tools and malware, including AgentTesla, FormBook, Remcos, LokiBot, GuLoader, Snake Keylogge
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-34473Unspecified
2
CVE-2021-34473 is a vulnerability in the Microsoft Exchange Server, which forms part of a chain of related vulnerabilities known as ProxyShell. The other vulnerabilities in this chain are CVE-2021-34523 and CVE-2021-31207. These vulnerabilities can be exploited together by remote attackers to infilt
CVE-2021-34523Unspecified
2
None
CVE-2020-12812Unspecified
2
None
CVE-2021-31207Unspecified
2
None
CVE-2021-42321Unspecified
2
None
Source Document References
Information about the Hive Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Hive Ransomware? Let’s Learn All About It - Cybersecurity Insiders
CERT-EU
a year ago
#StopRansomware: Hive Ransomware | CISA | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
CISA
a year ago
#StopRansomware: Hive Ransomware | CISA
CSO Online
a year ago
FBI takes down Hive ransomware group in an undercover operation
BankInfoSecurity
a year ago
Co-Working for the Ransomware Age: How Hive Thrived
Flashpoint
a year ago
COURT DOC: U.S. Department of Justice Disrupts Hive Ransomware Variant
BankInfoSecurity
a year ago
Will Hive Stay Kaput After FBI Busts Infrastructure?
CERT-EU
a year ago
How weak is YOUR password? Graphic shows exactly how long it would take hackers to break it | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting
CERT-EU
a year ago
FBI’s ransomware takedown: one Hive down, a colony to go | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
CERT-EU
a year ago
Hive takedown puts ‘small dent’ in ransomware problem
CERT-EU
8 months ago
Hacking the Hackers - The Journal. | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
a year ago
Ransomware: New US strategy prioritizes victims but could make it harder to catch cybercriminals | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
CERT-EU
a year ago
FBI Dismantles Hive Ransomware Network From the Inside, Thwarting Over $130m in Ransom Demands | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security
CERT-EU
a year ago
Breaking-free from the Hive
Malwarebytes
a year ago
Ransomware review: February 2023
Naked Security
a year ago
Hive ransomware servers shut down at last, says FBI
DARKReading
a year ago
Hive Ransomware Gang Loses Its Honeycomb, Thanks to DoJ
CERT-EU
a year ago
Ransomware watchers are finding creative ways to track attacks | #ransomware | #cybercrime – National Cyber Security Consulting
CERT-EU
a year ago
Ransomware watchers are finding creative ways to track attacks
CERT-EU
a year ago
How the FBI hacked Hive and saved potential victims $130 million | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker – National Cyber Security Consulting