Hive Ransomware: In-Depth Analysis, Detection, Mitigation

Summary of Hive Ransomware

Hive ransomware emerged in June 2021. Hive practices double extortion, demanding payment for a decryptor as well as for the non-release of stolen data. Hive operates as a RaaS (Ransomware-as-a-Service) and their campaigns are characterized as being aggressive and rapid. The payloads are non-stealth in their execution and full drive encryption can be achieved in just a few minutes. Hive operators make significant use of COTS tools and LOLBins during all stages of attack. They are also known to frequently attack healthcare and education organizations.

Hive Ransomware - Featured Image | SentinelOne

What Does Hive Ransomware Target?

Hive ransomware targets a wide range of industries including healthcare, finance, retail, energy and manufacturing.

Update: In January 2023, the United States Department of Justice announced the disruption of Hive’s ransomware operations. Hive operations remained dormant following this operation until their reemergence in October 2023 under the moniker ‘Hunters International’.

Hive Ransomware - Hunter International | SentinelOne

How Does Hive Ransomware Spread?

Hive ransomware can be deployed in various ways, such as with Cobalt Strike or a similar framework, as well as through email phishing. Additionally, it targets vulnerabilities in RDP and VPN services. Hive actors are adept at advanced MFA bypasses, as well as exploitation of advanced vulnerabilities including CVE-2020-12812 (FortiOS) and CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523 (all Microsoft Exchange)

Hive Ransomware Technical Details

Hive actors gain initial access to victim networks in various ways. Hive actors have exploited single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs) and other network connection protocols . In some cases, they have bypassed multifactor authentication (MFA) and exploited CVE-2020-12812 to gain access to FortiOS servers. This vulnerability allows a malicious actor to log in without prompting for a second authentication factor (FortiToken) by changing the case of the username. Additionally, they have distributed phishing emails with malicious attachments  and exploited vulnerabilities against Microsoft Exchange servers.

Hive uses a number of custom pre-deployment PowerShell and BAT scripts to prepare the environment for distribution of the ransomware.  ADFind, SharpView, and BloodHound are used for Active Directory enumeration. Password spraying is performed with SharpHashSpray and SharpDomainSpray, while Rubeus is used to request TGTs (Kerberos Ticket Granting Ticket). Cobalt Strike is used by Hive operators, and several different Cobalt Strike loaders have been identified including a IPfuscated loader, a Golang loader, and a vanilla/native beacon DLL. Finally, GPOs and Scheduled Tasks are used to deploy digitally signed ransomware across the victim’s network.

Hive will attempt to inhibit system recovery by removing Volume Shadow Copies. VSS removal and timeout (execution delays) functions are handled via .BAT files dropped upon launch. Hive’s execution is both rapid and noisy. Full drive encryption can be achieved within minutes. Visible cmd-windows and excessive timeout calls make it far from ‘stealth’. Victims are instructed to visit the Hive payment and support portal via TOR.

How to Detect Hive Ransomware

  • The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to Hive Ransomware

In case you do not have SentinelOne deployed, detecting ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.

To mitigate the risk of this Ransomware without SentinelOne deployed, it is important to take a multi-layered approach, which includes the following steps:

  1. Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
  2. Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers.
  3. Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.
  4. Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
  5. Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.

How to Mitigate Hive

  • The SentinelOne Singularity XDR Platform can return systems to their original state (which is free from re-infection) using either the Repair or Rollback feature.

In case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of ransomware attacks:

  1. Educate employees: Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.
  2. Implement strong passwords: Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.
  3. Enable multi-factor authentication: Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.
  4. Update and patch systems: Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.

Implement backup and disaster recovery: Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location. The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.

Purpose Built to Prevent Tomorrow’s Threats. Today.
Your most sensitive data lives on the endpoint and in the cloud. Protect what matters most from cyberattacks. Fortify every edge of the network with realtime autonomous protection.
Get a Demo

Hive Ransomware FAQs

What is Hive ransomware?

Hive is an operational ransomware-as-a-service active since 2021. Hive encrypts and adds .hive or.keyHive extensions. It drops ransom messages that are labeled as HOW_TO_DECRYPT_FILES.txt. It will threaten to dump stolen data onto leak sites. Hive actively targets the healthcare and education industries.

Who operates the Hive ransomware group?

A Russian cybercrime gang operates Hive. They will outsource affiliates to distribute ransomware. You can follow their infrastructure using Bitcoin payment addresses. Law enforcement broke up some of their operations in 2023, but splinter groups remain active.

What encryption algorithms does Hive ransomware use?

Hive encrypts files using AES-256-CTR and RSA-2048 to encrypt the key. They’ll generate a single unique key for each of your victims. They’ll encrypt your files in 1MB chunks so they won’t be detected. Your decryption key is stored on the attacker-controlled servers.

What file extensions does Hive ransomware append to encrypted files?

Hive appends encrypted files. For example, “contract.doc” will become “contract.doc.hive.” They will also drop ransom notices in TXT and PDF form. You will be able to find attacks by these extensions and encryption signatures.

How does Hive ransomware gain initial access to networks?

Hive operators exploit vulnerabilities in FortiOS and Exchange Server. They will use phishing emails with malicious Excel macros. You can also get infected via compromised MSP accounts. The attackers will brute-force weak VPN credentials to gain entry.

Does Hive ransomware support both Windows and Linux/ESXi platforms?

Yes, Hive has Windows, Linux, and VMware ESXi system variants. They will prioritise ESXi servers in virtualised environments. You should secure hypervisor management interfaces. Linux attacks focus on exposed SSH services with weak passwords.

What ransom notes and messages does Hive leave behind?

Hive leaves notes named HOW_TO_DECRYPT_FILES.txt and README_HIVE.html. They will provide Tor URLs and unique victim IDs. The notes threaten data leaks within 72 hours. You can find these files on desktops and encrypted directories.

Has the Hive source code or builder been leaked?

Yes, parts of Hive’s source code leaked in 2023 after law enforcement actions. They will still operate modified versions. You can find builder tools on dark web forums. The leaks do not provide decryption keys for existing victims.

What are the indicators of compromise (IOCs) for Hive ransomware?

IOCs include .hive file extensions and ransom notes with Hive branding. They will connect to C2 servers like 185.225.73.244. Monitor for PowerShell executing “Invoke-Hive” commands. Registry keys under HKEY_CURRENT_USER\Software\Hive are created during infections.

How can organisations detect Hive ransomware infections?

You can detect Hive by monitoring for rapid file encryption patterns. There are alerts for suspicious VSS service termination. They will generate Windows Firewall disablement events (ID 5031). Use EDR tools to flag unauthorised encryption processes.

What should organisations do if infected with Hive ransomware?

Isolate affected systems immediately—contact incident response professionals. If you have offline backups, initiate recovery procedures. Do not delete encrypted files or ransom notes. Report the attack to cybersecurity agencies and regulatory bodies.