Hive Ransomware

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

Hive ransomware, a notorious threat actor, emerged as one of the most prolific groups in 2022, executing a series of cyberattacks with malicious intent. This group was responsible for numerous ransomware attacks, causing significant disruptions and damage across various sectors. However, in January 2023, a law enforcement-led operation successfully disrupted the Hive ransomware operation. This operation included the seizure of the Tor site used by Hive, marking a significant victory for cybersecurity agencies such as the U.S. Cybersecurity & Infrastructure Security Agency (CISA) and the FBI. Despite this successful takedown, only about 20% of Hive's victims reported their experiences to law enforcement, according to an infiltration of the Hive infrastructure by the FBI. This low reporting rate underscores the challenges faced by law enforcement in gaining comprehensive insight into the extent and impact of such cybercrimes. The FBI has emphasized the importance of more victim reporting to enhance their understanding and ability to counter these threats effectively. Interestingly, following the dismantling of Hive, a group known as Hunters International emerged in late 2023, believed to be a rebranding of the former Hive group. This highlights the resilience and adaptability of such threat actors, even in the face of increased law enforcement pressure. Despite criticism, agencies like the FBI have continued to work closely with the private sector to combat these illicit operators, sharing decryption capabilities and disrupting criminal enterprises as demonstrated in the case of Hive ransomware.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Hive	10	Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
Hunters International	4	Hunters International, a threat actor group in the cybersecurity realm, has recently gained notoriety for its malicious activities. The group is believed to have taken over Hive Ransomware, a notorious malware used for cyberattacks, after Hive's takedown in 2023. Despite disputes from Hunters Intern
Wazawaka	2	Wazawaka, identified by the FBI as Mikhail Matveev, is a significant threat actor in the cybercrime landscape. Known for his affiliations with multiple ransomware groups, including LockBit, throughout 2020 and 2021, he became a central figure in the Babuk ransomware-as-a-service gang. Matveev's oper
M1x	1	M1x, also known as Wazawaka, Boriselcin, and Uhodiransomwar, is a threat actor identified as Mikhail Pavlovich Matveev. This individual has been allegedly involved in malicious cyber activities since at least 2020. Matveev's primary mode of operation involves the deployment of ransomware, specifical
Boriselcin	1	Mikhail Pavlovich Matveev, also known as Boriselcin, is a threat actor that has been implicated in significant cybercrime activities. Beginning at least as early as 2020, Matveev has been allegedly involved in deploying three ransomware variants: LockBit, Babuk, and Hive. These attacks targeted vari
Uhodiransomwar	1	Uhodiransomwar, also known as Mikhail Pavlovich Matveev, Wazawaka, m1x, and Boriselcin, is a threat actor who has been identified as a significant cybersecurity concern. A Russian national aged 30, Matveev has allegedly been involved in numerous malicious activities since at least 2020, primarily fo
Waza	1	None

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Ransom

Malware

RaaS

Encryption

Esxi

Cybercrime

Fbi

Windows

Antivirus

Scam

T1112

Linux

Exploit

Russia

Phishing

Botnet

Extortion

Breachforums

Bitdefender

Hydra Market

Vulnerability

Health

Federal

Healthcare

Data Leak

Malware Loader

Infiltration

Remcos

Rmm

Locker

Scams

CISA

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Lockbit	Unspecified	5	LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
QakBot	Unspecified	2	Qakbot is a potent malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, or e
TrickBot	Unspecified	2	TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
Nokoyawa	Unspecified	2	Nokoyawa is a notorious malware, particularly known for its ransomware capabilities. It has been associated with various other malicious software including Quantum, Royal, BlackBasta, Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2, Vidar, Gozi, Cany
Babuk	Unspecified	2	Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso
Hunters	Unspecified	2	The malware group known as Hunters International has been involved in a series of high-profile cyberattacks, targeting organizations such as AT&T and the Crystal Lake Health Center. In April, an individual named Binns hacked AT&T, leading to a ransom payment by the company to another hacking group,
REvil	Unspecified	1	REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
Conti	Unspecified	1	Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Ragnar Locker	Unspecified	1	Ragnar Locker is a type of malware, specifically a ransomware, that has been designed to infiltrate computer systems, often without the user's knowledge. It can enter systems through suspicious downloads, emails, or websites and once inside, it has the capability to steal personal information, disru
Black Suit	Unspecified	1	Black Suit is a notable piece of malware that emerged as a rebranding of the Royal ransomware. The connection between the two was established through matching binaries. This malicious software, designed to exploit and damage computer systems, has been linked to several cyberattacks. Notably, Black S
Avaddon	Unspecified	1	Avaddon is a type of malware, specifically ransomware, designed to exploit and damage computer systems. It was notable for its compatibility with older systems such as Windows XP and Windows 2003, distinguishing it from other ransomware like Darkside and Babuk which targeted more modern systems like
Abyss Locker	Unspecified	1	Abyss Locker is a formidable strain of malware, specifically ransomware, that has been observed targeting both Microsoft Windows and Linux platforms. This malicious software operates by infiltrating systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside
NoEscape	Unspecified	1	NoEscape is a malicious software that emerged as a rebrand of 'Avaddon,' known for its successful multi-extortion tactics. In October 2023, the French basketball team ASVEL fell victim to a data breach orchestrated by the NoEscape ransomware gang. This incident was part of a broader trend in the las
Qbot	Unspecified	1	Qbot, also known as Qakbot or Pinkslipbot, is a modular information-stealing malware that emerged in 2007 as a banking trojan. Over the years, it has evolved into an advanced malware strain used by multiple cybercriminal groups to compromise networks and prepare them for ransomware attacks. The firs
Quantum Ransomware	Unspecified	1	Quantum ransomware is a type of malicious software (malware) that was notably active in 2022. This pernicious program infiltrates computers and devices, often unbeknownst to the user, via suspicious downloads, emails, or websites. Once inside the system, it can disrupt operations, steal personal inf

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Mikhail Pavlovich Matveev	Unspecified	3	Mikhail Pavlovich Matveev, a Russian national also known by the online monikers Wazawaka, m1x, Boriselcin, and Uhodiransomwar, is identified as a significant threat actor in the global cybersecurity landscape. He is one of five Russians charged over Lockbit, considered to be the world's most dangero
Alphv	Unspecified	3	AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Blackbyte	Unspecified	1	BlackByte, a threat actor known for its malicious activities, has been on the radar of cybersecurity agencies since its emergence in July 2021. Notorious for targeting critical infrastructure, BlackByte attracted the attention of the Federal Bureau of Investigation (FBI) and the US Secret Service (U

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Hive Ransomware Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	4 months ago	Navigating Ransomware Trends and Evolving Threats in the Cyber Landscape \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	4 months ago	EquiLend Employee Data Breached After January Ransomware Attack \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	5 months ago	Ransomware attacks are hitting critical infrastructure more often, FBI says
BankInfoSecurity	5 months ago	Banning Ransom Payments: Calls Grow to 'Figure Out' Approach
CERT-EU	5 months ago	These states generate the most cybercrime complaints \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	5 months ago	FBI: Cybercrime cost Americans over $12.5B in 2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	5 months ago	Cyber Security Today, Week in Review for week ending Friday, March 1, 2024 \| IT World Canada News
CERT-EU	5 months ago	LockBit Ransomware Gang Returns, Taunts FBI and Vows Data Leaks
CERT-EU	5 months ago	How the FBI and CISA look to mature the government’s top ransomware task force \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	5 months ago	Public Extortion via Ransomware Spikes \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	5 months ago	Police arrest LockBit ransomware members, release decryptor in global crackdown
BankInfoSecurity	5 months ago	LockBit Infrastructure Seized By US, UK Police
BankInfoSecurity	5 months ago	LockBit Infrasttructure Seized By US, UK Police
Malwarebytes	5 months ago	Ransomware in 2023 recap: 5 key takeaways \| Malwarebytes
InfoSecurity-magazine	6 months ago	Malware-as-a-Service Now the Top Threat to Organizations
Unit42	6 months ago	Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
BankInfoSecurity	6 months ago	France's OFAC to Tackle Cyberthreats Ahead of Olympics
CERT-EU	6 months ago	Ransomware Activity Surged in 2023, Likely to Evolve in 2024 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	6 months ago	Stupid Human Tricks: Top 10 Cybercrime Cases of 2023
CERT-EU	6 months ago	Stupid Human Tricks: Top 10 Cybercrime Cases of 2023 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting