SYMBOLCOMMON_NAMEaka. SYNONYMS
win.hive (Back to overview)

Hive


Ransomware used in a double extortion scheme, first encountered June 2021.

References
2022-05-20AdvIntelYelisey Boguslavskiy, Vitali Kremez, Marley Smith
@online{boguslavskiy:20220520:discontinued:de13f97, author = {Yelisey Boguslavskiy and Vitali Kremez and Marley Smith}, title = {{DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape}}, date = {2022-05-20}, organization = {AdvIntel}, url = {https://www.advintel.io/post/discontinued-the-end-of-conti-s-brand-marks-new-chapter-for-cybercrime-landscape}, language = {English}, urldate = {2022-05-25} } DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-05-03Talos IntelligenceJON MUNSHAW
@online{munshaw:20220503:conti:ae16fc1, author = {JON MUNSHAW}, title = {{Conti and Hive ransomware operations: What we learned from these groups' victim chats}}, date = {2022-05-03}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2022/05/conti-and-hive-ransomware-operations.html}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: What we learned from these groups' victim chats
Conti Hive
2022-05-03CiscoKendall McKay, Paul Eubanks., JAIME FILSON
@online{mckay:20220503:conti:c764c61, author = {Kendall McKay and Paul Eubanks. and JAIME FILSON}, title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}}, date = {2022-05-03}, organization = {Cisco}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf?1651576098}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: Leveraging victim chats for insights
Conti Hive
2022-05-02Cisco TalosKendall McKay, Paul Eubanks, JAIME FILSON
@techreport{mckay:20220502:conti:330e34b, author = {Kendall McKay and Paul Eubanks and JAIME FILSON}, title = {{Conti and Hive ransomware operations: Leveraging victim chats for insights}}, date = {2022-05-02}, institution = {Cisco Talos}, url = {https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/787/original/ransomware-chats.pdf}, language = {English}, urldate = {2022-05-04} } Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive
2022-04-28SymantecKarthikeyan C Kasiviswanathan, Vishal Kamble
@online{kasiviswanathan:20220428:ransomware:95feafb, author = {Karthikeyan C Kasiviswanathan and Vishal Kamble}, title = {{Ransomware: How Attackers are Breaching Corporate Networks}}, date = {2022-04-28}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker}, language = {English}, urldate = {2022-05-04} } Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot
2022-04-21Sentinel LABSAntonis Terefos
@online{terefos:20220421:nokoyawa:72ae5e2, author = {Antonis Terefos}, title = {{Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise}}, date = {2022-04-21}, organization = {Sentinel LABS}, url = {https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/}, language = {English}, urldate = {2022-04-24} } Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Hive Karma Nemty Nokoyawa Ransomware
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-04-19VaronisNadav Ovadia
@online{ovadia:20220419:hive:51c5eb7, author = {Nadav Ovadia}, title = {{Hive Ransomware Analysis}}, date = {2022-04-19}, organization = {Varonis}, url = {https://www.varonis.com/blog/hive-ransomware-analysis}, language = {English}, urldate = {2022-04-25} } Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz
2022-04-18AdvIntelVitali Kremez, Yelisey Boguslavskiy
@online{kremez:20220418:enter:2f9b689, author = {Vitali Kremez and Yelisey Boguslavskiy}, title = {{Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group}}, date = {2022-04-18}, organization = {AdvIntel}, url = {https://www.advintel.io/post/enter-karakurt-data-extortion-arm-of-prolific-ransomware-group}, language = {English}, urldate = {2022-05-17} } Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive
2022-04-12ConnectWiseConnectWise CRU
@online{cru:20220412:threat:ea9a60f, author = {ConnectWise CRU}, title = {{Threat Profile: Hive}}, date = {2022-04-12}, organization = {ConnectWise}, url = {https://www.connectwise.com/resources/hive-profile}, language = {English}, urldate = {2022-04-13} } Threat Profile: Hive
Hive
2022-03-31SC MediaSC Staff
@online{staff:20220331:novel:ef704af, author = {SC Staff}, title = {{Novel obfuscation leveraged by Hive ransomware}}, date = {2022-03-31}, organization = {SC Media}, url = {https://www.scmagazine.com/brief/breach/novel-obfuscation-leveraged-by-hive-ransomware}, language = {English}, urldate = {2022-04-05} } Novel obfuscation leveraged by Hive ransomware
Cobalt Strike Hive
2022-03-30The RecordJonathan Greig
@online{greig:20220330:hive:b23a103, author = {Jonathan Greig}, title = {{Hive ransomware shuts down California health care organization}}, date = {2022-03-30}, organization = {The Record}, url = {https://therecord.media/hive-ransomware-shuts-down-california-health-care-organization/}, language = {English}, urldate = {2022-03-31} } Hive ransomware shuts down California health care organization
Hive Hive
2022-03-30Bleeping ComputerBill Toulas
@online{toulas:20220330:hive:2c0ba4d, author = {Bill Toulas}, title = {{Hive ransomware uses new 'IPfuscation' trick to hide payload}}, date = {2022-03-30}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hive-ransomware-uses-new-ipfuscation-trick-to-hide-payload/}, language = {English}, urldate = {2022-03-31} } Hive ransomware uses new 'IPfuscation' trick to hide payload
Hive
2022-03-29SentinelOneJames Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, Shai Tilias
@online{haughom:20220329:from:5e4b8cc, author = {James Haughom and Antonis Terefos and Jim Walter and Jeff Cavanaugh and Nick Fox and Shai Tilias}, title = {{From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection}}, date = {2022-03-29}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/hive-ransomware-deploys-novel-ipfuscation-technique/}, language = {English}, urldate = {2022-03-31} } From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Cobalt Strike Hive
2022-03-27Bleeping ComputerLawrence Abrams
@online{abrams:20220327:hive:4b2408f, author = {Lawrence Abrams}, title = {{Hive ransomware ports its Linux VMware ESXi encryptor to Rust}}, date = {2022-03-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/}, language = {English}, urldate = {2022-03-29} } Hive ransomware ports its Linux VMware ESXi encryptor to Rust
BlackCat Hive Hive
2022-03-18Trend MicroTrend Micro Research
@online{research:20220318:ransomware:db77bd2, author = {Trend Micro Research}, title = {{Ransomware Spotlight: Hive}}, date = {2022-03-18}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive}, language = {English}, urldate = {2022-03-28} } Ransomware Spotlight: Hive
Hive Hive
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-24LIFARSVlad Pasca
@online{pasca:20220224:how:77b74bc, author = {Vlad Pasca}, title = {{How to Decrypt the Files Encrypted by the Hive Ransomware}}, date = {2022-02-24}, organization = {LIFARS}, url = {https://lifars.com/2022/02/how-to-decrypt-the-files-encrypted-by-the-hive-ransomware/}, language = {English}, urldate = {2022-03-01} } How to Decrypt the Files Encrypted by the Hive Ransomware
Hive Hive
2022-02-21Security AffairsPierluigi Paganini
@online{paganini:20220221:flaw:0b723b0, author = {Pierluigi Paganini}, title = {{A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files}}, date = {2022-02-21}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/128232/security/recover-files-hive-ransomware.html}, language = {English}, urldate = {2022-02-26} } A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files
Hive Hive
2022-02-19The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220219:master:8d77715, author = {Ravie Lakshmanan}, title = {{Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm}}, date = {2022-02-19}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/02/master-key-for-hive-ransomware.html}, language = {English}, urldate = {2022-02-26} } Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm
Hive Hive
2022-02-18The RecordCatalin Cimpanu
@online{cimpanu:20220218:academics:d2f3045, author = {Catalin Cimpanu}, title = {{Academics publish method for recovering data encrypted by the Hive ransomware}}, date = {2022-02-18}, organization = {The Record}, url = {https://therecord.media/academics-publish-method-for-recovering-data-encrypted-by-the-hive-ransomware/}, language = {English}, urldate = {2022-02-19} } Academics publish method for recovering data encrypted by the Hive ransomware
Hive Hive
2022-02-18Kookmin UniversityGiyoon Kim, Soram Kim, Soojin Kang, Jongsung Kim
@techreport{kim:20220218:method:4b41876, author = {Giyoon Kim and Soram Kim and Soojin Kang and Jongsung Kim}, title = {{A Method for Decrypting Data Infected with Hive Ransomware}}, date = {2022-02-18}, institution = {Kookmin University}, url = {https://arxiv.org/pdf/2202.08477.pdf}, language = {English}, urldate = {2022-02-19} } A Method for Decrypting Data Infected with Hive Ransomware
Hive Hive
2021-12-16INCIBE-CERTINCIBE
@techreport{incibe:20211216:hive:22d0add, author = {INCIBE}, title = {{Hive Analysis Study}}, date = {2021-12-16}, institution = {INCIBE-CERT}, url = {https://www.incibe-cert.es/sites/default/files/contenidos/estudios/doc/incibe-cert_estudio_analisis_hive_2021_v1.pdf}, language = {Spanish}, urldate = {2022-01-25} } Hive Analysis Study
Hive
2021-12-09Group-IBDmitry Shestakov, Andrey Zhdanov
@online{shestakov:20211209:inside:2dc8bd6, author = {Dmitry Shestakov and Andrey Zhdanov}, title = {{Inside the Hive: Deep dive into Hive RaaS, analysis of latest samples}}, date = {2021-12-09}, organization = {Group-IB}, url = {https://blog.group-ib.com/hive}, language = {English}, urldate = {2022-01-24} } Inside the Hive: Deep dive into Hive RaaS, analysis of latest samples
Hive Hive
2021-12-03Github (rivitna)Andrey Zhdanov
@online{zhdanov:20211203:hive:7d25585, author = {Andrey Zhdanov}, title = {{Hive Demo and IoCs}}, date = {2021-12-03}, organization = {Github (rivitna)}, url = {https://github.com/rivitna/Malware/tree/main/Hive}, language = {English}, urldate = {2021-12-22} } Hive Demo and IoCs
Hive Hive
2021-09-10NetskopeGustavo Palazolo
@online{palazolo:20210910:hive:e875859, author = {Gustavo Palazolo}, title = {{Hive Ransomware: Actively Targeting Hospitals}}, date = {2021-09-10}, organization = {Netskope}, url = {https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals}, language = {English}, urldate = {2021-09-14} } Hive Ransomware: Actively Targeting Hospitals
Hive
2021-08-25FBIFBI
@techreport{fbi:20210825:mc000150mw:39f2584, author = {FBI}, title = {{MC-000150-MW: Indicators of Compromise Associated with Hive Ransomware}}, date = {2021-08-25}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210825.pdf}, language = {English}, urldate = {2021-08-30} } MC-000150-MW: Indicators of Compromise Associated with Hive Ransomware
Hive
2021-08-24Palo Alto Networks Unit 42Ruchna Nigam, Doel Santos
@online{nigam:20210824:ransomware:dfd3e4b, author = {Ruchna Nigam and Doel Santos}, title = {{Ransomware Groups to Watch: Emerging Threats}}, date = {2021-08-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/emerging-ransomware-groups/}, language = {English}, urldate = {2021-08-24} } Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit
2021-08-23Sentinel LABSJim Walter, Juan Andrés Guerrero-Saade
@online{walter:20210823:hive:5a17aae, author = {Jim Walter and Juan Andrés Guerrero-Saade}, title = {{Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare}}, date = {2021-08-23}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/}, language = {English}, urldate = {2021-08-25} } Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare
Hive
Yara Rules
[TLP:WHITE] win_hive_auto (20220411 | Detects win.hive.)
rule win_hive_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.hive."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 31c0 31c9 31d2 bb06000000 }
            // n = 4, score = 300
            //   31c0                 | xor                 eax, eax
            //   31c9                 | xor                 ecx, ecx
            //   31d2                 | xor                 edx, edx
            //   bb06000000           | mov                 ebx, 6

        $sequence_1 = { 31c0 b9e4000000 31d2 31db }
            // n = 4, score = 300
            //   31c0                 | xor                 eax, eax
            //   b9e4000000           | mov                 ecx, 0xe4
            //   31d2                 | xor                 edx, edx
            //   31db                 | xor                 ebx, ebx

        $sequence_2 = { b807000000 b9d4000000 31d2 31db }
            // n = 4, score = 300
            //   b807000000           | mov                 eax, 7
            //   b9d4000000           | mov                 ecx, 0xd4
            //   31d2                 | xor                 edx, edx
            //   31db                 | xor                 ebx, ebx

        $sequence_3 = { b804000000 b9df000000 31d2 31db }
            // n = 4, score = 300
            //   b804000000           | mov                 eax, 4
            //   b9df000000           | mov                 ecx, 0xdf
            //   31d2                 | xor                 edx, edx
            //   31db                 | xor                 ebx, ebx

        $sequence_4 = { 83c440 c3 e8???????? 90 }
            // n = 4, score = 200
            //   83c440               | add                 esp, 0x40
            //   c3                   | ret                 
            //   e8????????           |                     
            //   90                   | nop                 

        $sequence_5 = { b803000000 b9b6000000 31d2 31db }
            // n = 4, score = 200
            //   b803000000           | mov                 eax, 3
            //   b9b6000000           | mov                 ecx, 0xb6
            //   31d2                 | xor                 edx, edx
            //   31db                 | xor                 ebx, ebx

        $sequence_6 = { 83c420 c3 b905000000 e8???????? }
            // n = 4, score = 200
            //   83c420               | add                 esp, 0x20
            //   c3                   | ret                 
            //   b905000000           | mov                 ecx, 5
            //   e8????????           |                     

        $sequence_7 = { b809000000 b90b000000 31d2 31db }
            // n = 4, score = 200
            //   b809000000           | mov                 eax, 9
            //   b90b000000           | mov                 ecx, 0xb
            //   31d2                 | xor                 edx, edx
            //   31db                 | xor                 ebx, ebx

        $sequence_8 = { b805000000 b924000000 31d2 31db }
            // n = 4, score = 200
            //   b805000000           | mov                 eax, 5
            //   b924000000           | mov                 ecx, 0x24
            //   31d2                 | xor                 edx, edx
            //   31db                 | xor                 ebx, ebx

        $sequence_9 = { 39b100000000 750a e8???????? e8???????? }
            // n = 4, score = 200
            //   39b100000000         | cmp                 dword ptr [ecx], esi
            //   750a                 | jne                 0xc
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_10 = { b801000000 b9ca000000 31d2 31db }
            // n = 4, score = 200
            //   b801000000           | mov                 eax, 1
            //   b9ca000000           | mov                 ecx, 0xca
            //   31d2                 | xor                 edx, edx
            //   31db                 | xor                 ebx, ebx

        $sequence_11 = { 89c2 e8???????? b801000000 e8???????? }
            // n = 4, score = 200
            //   89c2                 | mov                 edx, eax
            //   e8????????           |                     
            //   b801000000           | mov                 eax, 1
            //   e8????????           |                     

    condition:
        7 of them and filesize < 7946240
}
[TLP:WHITE] win_hive_w0   (20211222 | Hive v3 ransomware Windows/Linux/FreeBSD payload)
rule win_hive_w0 {
    meta:
        author = "rivitna"
        family = "ransomware.hive"
        description = "Hive v3 ransomware Windows/Linux/FreeBSD payload"
        source = "https://github.com/rivitna/Malware/blob/main/Hive/Hive.yar"
        severity = 10
        score = 100
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive"
        malpedia_rule_date = "20211222"
        malpedia_hash = ""
        malpedia_version = "20211222"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $h0 = { B? 03 52 DA 8D [6-12] 69 ?? 00 70 0E 00 [14-20]
                8D ?? 00 90 01 00 }
        $h1 = { B? 37 48 60 80 [4-12] 69 ?? 00 F4 0F 00 [2-10]
                8D ?? 00 0C 00 00 }
        $h2 = { B? 3E 0A D7 A3 [2-6] C1 E? ( 0F | 2F 4?)
                69 ?? 00 90 01 00 }

        $x0 = { C6 84 24 ?? 00 00 00 FF [0-14] 89 ?? 24 ?? 00 00 00 [0-6]
                89 ?? 24 ?? 0? 00 00 [0-20] C6 84 24 ?? 0? 00 00 34 }
        $x1 = { C6 44 24 ?? FF [0-14] 89 ?? 24 ?? [0-6] 89 ?? 24 ?? [0-12]
                C6 84 24 ?? 00 00 00 34 }

    condition:
        (((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
         (uint32(0) == 0x464C457F)) and
        (
            (2 of ($h*)) or (1 of ($x*))
        )
}
Download all Yara Rules