SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hive (Back to overview)

Hive

VTCollection    

Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.
In 2022 there was a switch from GoLang to Rust.

References
2023-12-22PRODAFTPRODAFT
Smoke and Mirrors: Understanding The Workings of Wazawaka
Conti Monti Babuk Hive LockBit RagnarLocker Trigona
2023-09-12ANSSIANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-05-16KrebsOnSecurityBrian Krebs
Russian Hacker “Wazawaka” Indicted for Ransomware
Babuk Hive LockBit LockBit Babuk Hive LockBit
2023-04-18MandiantMandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-02-02KrollElio Biasiotto, Stephen Green
Hive Ransomware Technical Analysis and Initial Access Discovery
BATLOADER Cobalt Strike Hive
2023-01-11Rapid7 LabsEoin Miller
Increasing The Sting of HIVE Ransomware
Hive
2022-11-28Github (reecdeep)reecdeep
HiveV5 file decryptor PoC
Hive Hive
2022-11-21MalwarebytesMalwarebytes
2022-11-21 Threat Intel Report
404 Keylogger Agent Tesla Formbook Hive Remcos
2022-08-22MicrosoftMicrosoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-07-26YoroiCarmelo Ragusa, Luigi Martire
On the FootSteps of Hive Ransomware
Hive Hive
2022-07-22YoroiCarmelo Ragusa, Luigi Martire
On The Footsteps of Hive Ransomware
Hive Hive
2022-07-05MicrosoftMicrosoft Threat Intelligence Center (MSTIC)
Hive ransomware gets upgrades in Rust
Hive
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-06-15ThreatStopOfir Ashman
First Conti, then Hive: Costa Rica gets hit with ransomware again
Conti Hive Conti Hive
2022-05-20AdvIntelMarley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-03Talos IntelligenceJON MUNSHAW
Conti and Hive ransomware operations: What we learned from these groups' victim chats
Conti Hive
2022-05-03CiscoJAIME FILSON, Kendall McKay, Paul Eubanks.
Conti and Hive ransomware operations: Leveraging victim chats for insights
Conti Hive
2022-05-02Cisco TalosJAIME FILSON, Kendall McKay, Paul Eubanks
Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-21Sentinel LABSAntonis Terefos
Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Hive Karma Nemty Nokoyawa Ransomware
2022-04-20Bleeping ComputerBill Toulas
Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-19VaronisNadav Ovadia
Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt
2022-04-12ConnectWiseConnectWise CRU
Threat Profile: Hive
Hive
2022-03-31SC MediaSC Staff
Novel obfuscation leveraged by Hive ransomware
Cobalt Strike Hive
2022-03-30Bleeping ComputerBill Toulas
Hive ransomware uses new 'IPfuscation' trick to hide payload
Hive
2022-03-30The RecordJonathan Greig
Hive ransomware shuts down California health care organization
Hive Hive
2022-03-29SentinelOneAntonis Terefos, James Haughom, Jeff Cavanaugh, Jim Walter, Nick Fox, Shai Tilias
From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Cobalt Strike Hive
2022-03-27Bleeping ComputerLawrence Abrams
Hive ransomware ports its Linux VMware ESXi encryptor to Rust
BlackCat Hive Hive
2022-03-18Trend MicroTrend Micro Research
Ransomware Spotlight: Hive
Hive Hive
2022-03-16SymantecSymantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-24LIFARSVlad Pasca
How to Decrypt the Files Encrypted by the Hive Ransomware
Hive Hive
2022-02-21Security AffairsPierluigi Paganini
A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files
Hive Hive
2022-02-19The Hacker NewsRavie Lakshmanan
Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm
Hive Hive
2022-02-18Kookmin UniversityGiyoon Kim, Jongsung Kim, Soojin Kang, Soram Kim
A Method for Decrypting Data Infected with Hive Ransomware
Hive Hive
2022-02-18The RecordCatalin Cimpanu
Academics publish method for recovering data encrypted by the Hive ransomware
Hive Hive
2021-12-16INCIBE-CERTINCIBE
Hive Analysis Study
Hive
2021-12-09Group-IBAndrey Zhdanov, Dmitry Shestakov
Inside the Hive: Deep dive into Hive RaaS, analysis of latest samples
Hive Hive
2021-12-03Github (rivitna)Andrey Zhdanov
Hive Demo and IoCs
Hive Hive
2021-09-10NetskopeGustavo Palazolo
Hive Ransomware: Actively Targeting Hospitals
Hive
2021-08-25FBIFBI
MC-000150-MW: Indicators of Compromise Associated with Hive Ransomware
Hive
2021-08-24Palo Alto Networks Unit 42Doel Santos, Ruchna Nigam
Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-08-23Sentinel LABSJim Walter, Juan Andrés Guerrero-Saade
Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare
Hive
Yara Rules
[TLP:WHITE] win_hive_auto (20230808 | Detects win.hive.)
rule win_hive_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.hive."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 31c0 b91d000000 31d2 31db }
            // n = 4, score = 300
            //   31c0                 | inc                 eax
            //   b91d000000           | movzx               ecx, bh
            //   31d2                 | add                 ecx, eax
            //   31db                 | shl                 ecx, 6

        $sequence_1 = { b807000000 b9d4000000 31d2 31db }
            // n = 4, score = 300
            //   b807000000           | inc                 eax
            //   b9d4000000           | movzx               edx, dh
            //   31d2                 | add                 eax, ecx
            //   31db                 | shl                 eax, 6

        $sequence_2 = { 89c2 e8???????? b801000000 e8???????? }
            // n = 4, score = 200
            //   89c2                 | dec                 ebp
            //   e8????????           |                     
            //   b801000000           | test                edi, edi
            //   e8????????           |                     

        $sequence_3 = { 31c9 31d2 bb54000000 31f6 }
            // n = 4, score = 200
            //   31c9                 | xor                 ebx, ebx
            //   31d2                 | xor                 edi, edi
            //   bb54000000           | jmp                 0x37
            //   31f6                 | xor                 eax, eax

        $sequence_4 = { 89d1 e8???????? b802000000 e8???????? }
            // n = 4, score = 200
            //   89d1                 | dec                 ebp
            //   e8????????           |                     
            //   b802000000           | test                edi, edi
            //   e8????????           |                     

        $sequence_5 = { 31c9 31d2 bb08000000 becb000000 31ff }
            // n = 5, score = 200
            //   31c9                 | nop                 
            //   31d2                 | add                 esp, 0xb0
            //   bb08000000           | ret                 
            //   becb000000           | nop                 
            //   31ff                 | ret                 

        $sequence_6 = { 89d0 b90d000000 e8???????? b90d000000 }
            // n = 4, score = 200
            //   89d0                 | shl                 edx, 6
            //   b90d000000           | movzx               eax, bl
            //   e8????????           |                     
            //   b90d000000           | add                 eax, edx

        $sequence_7 = { 31db 31ff eb31 31c0 }
            // n = 4, score = 200
            //   31db                 | mov                 ecx, 0xd
            //   31ff                 | mov                 ecx, 0xd
            //   eb31                 | mov                 ecx, edx
            //   31c0                 | mov                 eax, 2

        $sequence_8 = { 31ff e8???????? 833d????????00 7511 }
            // n = 4, score = 200
            //   31ff                 | mov                 eax, edx
            //   e8????????           |                     
            //   833d????????00       |                     
            //   7511                 | mov                 ecx, 0xd

        $sequence_9 = { 89d1 e8???????? b901000000 e8???????? }
            // n = 4, score = 200
            //   89d1                 | add                 eax, edx
            //   e8????????           |                     
            //   b901000000           | dec                 ebp
            //   e8????????           |                     

        $sequence_10 = { 81c4b0000000 c3 e8???????? 90 }
            // n = 4, score = 200
            //   81c4b0000000         | movzx               eax, bl
            //   c3                   | add                 eax, edx
            //   e8????????           |                     
            //   90                   | add                 edx, ecx

        $sequence_11 = { 31c9 31d2 bb09000000 bee0000000 }
            // n = 4, score = 200
            //   31c9                 | xor                 edx, edx
            //   31d2                 | xor                 ebx, ebx
            //   bb09000000           | xor                 eax, eax
            //   bee0000000           | mov                 ecx, 0xaa

        $sequence_12 = { 31c0 eb17 0fb6940496000000 0fb674041c 31d6 }
            // n = 5, score = 200
            //   31c0                 | xor                 ebx, edx
            //   eb17                 | lea                 ebx, [eax + ebx]
            //   0fb6940496000000     | lea                 ebx, [ebx + 0xe]
            //   0fb674041c           | mov                 eax, 7
            //   31d6                 | mov                 ecx, 0xd4

        $sequence_13 = { 01c1 83c101 83f90c 0f820fffffff }
            // n = 4, score = 100
            //   01c1                 | je                  0x269
            //   83c101               | add                 eax, eax
            //   83f90c               | inc                 eax
            //   0f820fffffff         | add                 al, bh

        $sequence_14 = { 01c1 c1e106 400fb6d6 01ca }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   c1e106               | shl                 ecx, 6
            //   400fb6d6             | movzx               eax, dl
            //   01ca                 | add                 eax, ecx

        $sequence_15 = { 01c8 c1e006 400fb6cf 01c1 }
            // n = 4, score = 100
            //   01c8                 | and                 ecx, eax
            //   c1e006               | inc                 ecx
            //   400fb6cf             | mov                 dword ptr [edi + 0x14], ecx
            //   01c1                 | add                 eax, ecx

        $sequence_16 = { 01c1 c1e106 0fb6c2 01c8 }
            // n = 4, score = 100
            //   01c1                 | jb                  0xfffffe9c
            //   c1e106               | mov                 edx, 5
            //   0fb6c2               | add                 ecx, eax
            //   01c8                 | add                 ecx, 1

        $sequence_17 = { 01c2 b8ffffff03 21c5 21c3 }
            // n = 4, score = 100
            //   01c2                 | inc                 eax
            //   b8ffffff03           | movzx               edx, dh
            //   21c5                 | add                 edx, ecx
            //   21c3                 | add                 ecx, eax

        $sequence_18 = { 01c0 4000f8 0fb6c0 48898424b0000000 }
            // n = 4, score = 100
            //   01c0                 | add                 eax, eax
            //   4000f8               | inc                 eax
            //   0fb6c0               | add                 al, bh
            //   48898424b0000000     | movzx               eax, al

        $sequence_19 = { 01ca c1e206 0fb6c3 01d0 }
            // n = 4, score = 100
            //   01ca                 | mov                 ecx, eax
            //   c1e206               | shr                 ecx, 0x1f
            //   0fb6c3               | dec                 ecx
            //   01d0                 | inc                 ecx

        $sequence_20 = { 01c8 89c1 c1e91f ffc9 }
            // n = 4, score = 100
            //   01c8                 | movzx               eax, bl
            //   89c1                 | add                 eax, edx
            //   c1e91f               | add                 edx, eax
            //   ffc9                 | mov                 eax, 0x3ffffff

    condition:
        7 of them and filesize < 7946240
}
[TLP:WHITE] win_hive_w0   (20211222 | Hive v3 ransomware Windows/Linux/FreeBSD payload)
rule win_hive_w0 {
    meta:
        author = "rivitna"
        family = "ransomware.hive"
        description = "Hive v3 ransomware Windows/Linux/FreeBSD payload"
        source = "https://github.com/rivitna/Malware/blob/main/Hive/Hive.yar"
        severity = 10
        score = 100
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive"
        malpedia_rule_date = "20211222"
        malpedia_hash = ""
        malpedia_version = "20211222"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $h0 = { B? 03 52 DA 8D [6-12] 69 ?? 00 70 0E 00 [14-20]
                8D ?? 00 90 01 00 }
        $h1 = { B? 37 48 60 80 [4-12] 69 ?? 00 F4 0F 00 [2-10]
                8D ?? 00 0C 00 00 }
        $h2 = { B? 3E 0A D7 A3 [2-6] C1 E? ( 0F | 2F 4?)
                69 ?? 00 90 01 00 }

        $x0 = { C6 84 24 ?? 00 00 00 FF [0-14] 89 ?? 24 ?? 00 00 00 [0-6]
                89 ?? 24 ?? 0? 00 00 [0-20] C6 84 24 ?? 0? 00 00 34 }
        $x1 = { C6 44 24 ?? FF [0-14] 89 ?? 24 ?? [0-6] 89 ?? 24 ?? [0-12]
                C6 84 24 ?? 00 00 00 34 }

    condition:
        (((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
         (uint32(0) == 0x464C457F)) and
        (
            (2 of ($h*)) or (1 of ($x*))
        )
}
Download all Yara Rules