Hive (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.hive (Back to overview)

Hive

VTCollection

Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe.
In 2022 there was a switch from GoLang to Rust.

References

2023-12-22 ⋅ PRODAFT ⋅ PRODAFT
Smoke and Mirrors: Understanding The Workings of Wazawaka
Conti Monti Babuk Hive LockBit RagnarLocker Trigona

2023-09-12 ⋅ ⋅ ANSSI ⋅ ANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC

2023-05-16 ⋅ KrebsOnSecurity ⋅ Brian Krebs
Russian Hacker “Wazawaka” Indicted for Ransomware
Babuk Hive LockBit LockBit Babuk Hive LockBit

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-02-02 ⋅ Kroll ⋅ Elio Biasiotto, Stephen Green
Hive Ransomware Technical Analysis and Initial Access Discovery
BATLOADER Cobalt Strike Hive

2023-01-11 ⋅ Rapid7 Labs ⋅ Eoin Miller
Increasing The Sting of HIVE Ransomware
Hive

2022-11-28 ⋅ Github (reecdeep) ⋅ reecdeep
HiveV5 file decryptor PoC
Hive Hive

2022-11-21 ⋅ Malwarebytes ⋅ Malwarebytes
2022-11-21 Threat Intel Report
404 Keylogger Agent Tesla Formbook Hive Remcos

2022-08-22 ⋅ Microsoft ⋅ Microsoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk

2022-07-26 ⋅ Yoroi ⋅ Carmelo Ragusa, Luigi Martire
On the FootSteps of Hive Ransomware
Hive Hive

2022-07-22 ⋅ Yoroi ⋅ Carmelo Ragusa, Luigi Martire
On The Footsteps of Hive Ransomware
Hive Hive

2022-07-05 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC)
Hive ransomware gets upgrades in Rust
Hive

2022-06-23 ⋅ Kaspersky ⋅ Danila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker

2022-06-15 ⋅ ThreatStop ⋅ Ofir Ashman
First Conti, then Hive: Costa Rica gets hit with ransomware again
Conti Hive Conti Hive

2022-05-20 ⋅ AdvIntel ⋅ Marley Smith, Vitali Kremez, Yelisey Boguslavskiy
DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
AvosLocker Black Basta BlackByte BlackCat Conti HelloKitty Hive

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-05-03 ⋅ Talos Intelligence ⋅ JON MUNSHAW
Conti and Hive ransomware operations: What we learned from these groups' victim chats
Conti Hive

2022-05-03 ⋅ Cisco ⋅ JAIME FILSON, Kendall McKay, Paul Eubanks.
Conti and Hive ransomware operations: Leveraging victim chats for insights
Conti Hive

2022-05-02 ⋅ Cisco Talos ⋅ JAIME FILSON, Kendall McKay, Paul Eubanks
Conti and Hive ransomware operations: Leveraging victim chats for insights
Cobalt Strike Conti Hive

2022-04-28 ⋅ Symantec ⋅ Karthikeyan C Kasiviswanathan, Vishal Kamble
Ransomware: How Attackers are Breaching Corporate Networks
AvosLocker Conti Emotet Hive IcedID PhotoLoader QakBot TrickBot

2022-04-21 ⋅ Sentinel LABS ⋅ Antonis Terefos
Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Hive Karma Nemty Nokoyawa Ransomware

2022-04-20 ⋅ Bleeping Computer ⋅ Bill Toulas
Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile

2022-04-19 ⋅ Varonis ⋅ Nadav Ovadia
Hive Ransomware Analysis
Cobalt Strike Hive MimiKatz

2022-04-18 ⋅ AdvIntel ⋅ Vitali Kremez, Yelisey Boguslavskiy
Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
AvosLocker BazarBackdoor BlackByte BlackCat Cobalt Strike HelloKitty Hive Karakurt

2022-04-12 ⋅ ConnectWise ⋅ ConnectWise CRU
Threat Profile: Hive
Hive

2022-03-31 ⋅ SC Media ⋅ SC Staff
Novel obfuscation leveraged by Hive ransomware
Cobalt Strike Hive

2022-03-30 ⋅ Bleeping Computer ⋅ Bill Toulas
Hive ransomware uses new 'IPfuscation' trick to hide payload
Hive

2022-03-30 ⋅ The Record ⋅ Jonathan Greig
Hive ransomware shuts down California health care organization
Hive Hive

2022-03-29 ⋅ SentinelOne ⋅ Antonis Terefos, James Haughom, Jeff Cavanaugh, Jim Walter, Nick Fox, Shai Tilias
From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection
Cobalt Strike Hive

2022-03-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Hive ransomware ports its Linux VMware ESXi encryptor to Rust
BlackCat Hive Hive

2022-03-18 ⋅ Trend Micro ⋅ Trend Micro Research
Ransomware Spotlight: Hive
Hive Hive

2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin

2022-02-24 ⋅ LIFARS ⋅ Vlad Pasca
How to Decrypt the Files Encrypted by the Hive Ransomware
Hive Hive

2022-02-21 ⋅ Security Affairs ⋅ Pierluigi Paganini
A flaw in the encryption algorithm of Hive Ransomware allows retrieving encrypted files
Hive Hive

2022-02-19 ⋅ The Hacker News ⋅ Ravie Lakshmanan
Master Key for Hive Ransomware Retrieved Using a Flaw in its Encryption Algorithm
Hive Hive

2022-02-18 ⋅ Kookmin University ⋅ Giyoon Kim, Jongsung Kim, Soojin Kang, Soram Kim
A Method for Decrypting Data Infected with Hive Ransomware
Hive Hive

2022-02-18 ⋅ The Record ⋅ Catalin Cimpanu
Academics publish method for recovering data encrypted by the Hive ransomware
Hive Hive

2021-12-16 ⋅ ⋅ INCIBE-CERT ⋅ INCIBE
Hive Analysis Study
Hive

2021-12-09 ⋅ Group-IB ⋅ Andrey Zhdanov, Dmitry Shestakov
Inside the Hive: Deep dive into Hive RaaS, analysis of latest samples
Hive Hive

2021-12-03 ⋅ Github (rivitna) ⋅ Andrey Zhdanov
Hive Demo and IoCs
Hive Hive

2021-09-10 ⋅ Netskope ⋅ Gustavo Palazolo
Hive Ransomware: Actively Targeting Hospitals
Hive

2021-08-25 ⋅ FBI ⋅ FBI
MC-000150-MW: Indicators of Compromise Associated with Hive Ransomware
Hive

2021-08-24 ⋅ Palo Alto Networks Unit 42 ⋅ Doel Santos, Ruchna Nigam
Ransomware Groups to Watch: Emerging Threats
HelloKitty AvosLocker HelloKitty Hive LockBit

2021-08-23 ⋅ Sentinel LABS ⋅ Jim Walter, Juan Andrés Guerrero-Saade
Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare
Hive

Yara Rules

[TLP:WHITE] win_hive_auto (20230808 | Detects win.hive.)

rule win_hive_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.hive."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 31c0 b91d000000 31d2 31db }
            // n = 4, score = 300
            //   31c0                 | inc                 eax
            //   b91d000000           | movzx               ecx, bh
            //   31d2                 | add                 ecx, eax
            //   31db                 | shl                 ecx, 6

        $sequence_1 = { b807000000 b9d4000000 31d2 31db }
            // n = 4, score = 300
            //   b807000000           | inc                 eax
            //   b9d4000000           | movzx               edx, dh
            //   31d2                 | add                 eax, ecx
            //   31db                 | shl                 eax, 6

        $sequence_2 = { 89c2 e8???????? b801000000 e8???????? }
            // n = 4, score = 200
            //   89c2                 | dec                 ebp
            //   e8????????           |                     
            //   b801000000           | test                edi, edi
            //   e8????????           |                     

        $sequence_3 = { 31c9 31d2 bb54000000 31f6 }
            // n = 4, score = 200
            //   31c9                 | xor                 ebx, ebx
            //   31d2                 | xor                 edi, edi
            //   bb54000000           | jmp                 0x37
            //   31f6                 | xor                 eax, eax

        $sequence_4 = { 89d1 e8???????? b802000000 e8???????? }
            // n = 4, score = 200
            //   89d1                 | dec                 ebp
            //   e8????????           |                     
            //   b802000000           | test                edi, edi
            //   e8????????           |                     

        $sequence_5 = { 31c9 31d2 bb08000000 becb000000 31ff }
            // n = 5, score = 200
            //   31c9                 | nop                 
            //   31d2                 | add                 esp, 0xb0
            //   bb08000000           | ret                 
            //   becb000000           | nop                 
            //   31ff                 | ret                 

        $sequence_6 = { 89d0 b90d000000 e8???????? b90d000000 }
            // n = 4, score = 200
            //   89d0                 | shl                 edx, 6
            //   b90d000000           | movzx               eax, bl
            //   e8????????           |                     
            //   b90d000000           | add                 eax, edx

        $sequence_7 = { 31db 31ff eb31 31c0 }
            // n = 4, score = 200
            //   31db                 | mov                 ecx, 0xd
            //   31ff                 | mov                 ecx, 0xd
            //   eb31                 | mov                 ecx, edx
            //   31c0                 | mov                 eax, 2

        $sequence_8 = { 31ff e8???????? 833d????????00 7511 }
            // n = 4, score = 200
            //   31ff                 | mov                 eax, edx
            //   e8????????           |                     
            //   833d????????00       |                     
            //   7511                 | mov                 ecx, 0xd

        $sequence_9 = { 89d1 e8???????? b901000000 e8???????? }
            // n = 4, score = 200
            //   89d1                 | add                 eax, edx
            //   e8????????           |                     
            //   b901000000           | dec                 ebp
            //   e8????????           |                     

        $sequence_10 = { 81c4b0000000 c3 e8???????? 90 }
            // n = 4, score = 200
            //   81c4b0000000         | movzx               eax, bl
            //   c3                   | add                 eax, edx
            //   e8????????           |                     
            //   90                   | add                 edx, ecx

        $sequence_11 = { 31c9 31d2 bb09000000 bee0000000 }
            // n = 4, score = 200
            //   31c9                 | xor                 edx, edx
            //   31d2                 | xor                 ebx, ebx
            //   bb09000000           | xor                 eax, eax
            //   bee0000000           | mov                 ecx, 0xaa

        $sequence_12 = { 31c0 eb17 0fb6940496000000 0fb674041c 31d6 }
            // n = 5, score = 200
            //   31c0                 | xor                 ebx, edx
            //   eb17                 | lea                 ebx, [eax + ebx]
            //   0fb6940496000000     | lea                 ebx, [ebx + 0xe]
            //   0fb674041c           | mov                 eax, 7
            //   31d6                 | mov                 ecx, 0xd4

        $sequence_13 = { 01c1 83c101 83f90c 0f820fffffff }
            // n = 4, score = 100
            //   01c1                 | je                  0x269
            //   83c101               | add                 eax, eax
            //   83f90c               | inc                 eax
            //   0f820fffffff         | add                 al, bh

        $sequence_14 = { 01c1 c1e106 400fb6d6 01ca }
            // n = 4, score = 100
            //   01c1                 | add                 ecx, eax
            //   c1e106               | shl                 ecx, 6
            //   400fb6d6             | movzx               eax, dl
            //   01ca                 | add                 eax, ecx

        $sequence_15 = { 01c8 c1e006 400fb6cf 01c1 }
            // n = 4, score = 100
            //   01c8                 | and                 ecx, eax
            //   c1e006               | inc                 ecx
            //   400fb6cf             | mov                 dword ptr [edi + 0x14], ecx
            //   01c1                 | add                 eax, ecx

        $sequence_16 = { 01c1 c1e106 0fb6c2 01c8 }
            // n = 4, score = 100
            //   01c1                 | jb                  0xfffffe9c
            //   c1e106               | mov                 edx, 5
            //   0fb6c2               | add                 ecx, eax
            //   01c8                 | add                 ecx, 1

        $sequence_17 = { 01c2 b8ffffff03 21c5 21c3 }
            // n = 4, score = 100
            //   01c2                 | inc                 eax
            //   b8ffffff03           | movzx               edx, dh
            //   21c5                 | add                 edx, ecx
            //   21c3                 | add                 ecx, eax

        $sequence_18 = { 01c0 4000f8 0fb6c0 48898424b0000000 }
            // n = 4, score = 100
            //   01c0                 | add                 eax, eax
            //   4000f8               | inc                 eax
            //   0fb6c0               | add                 al, bh
            //   48898424b0000000     | movzx               eax, al

        $sequence_19 = { 01ca c1e206 0fb6c3 01d0 }
            // n = 4, score = 100
            //   01ca                 | mov                 ecx, eax
            //   c1e206               | shr                 ecx, 0x1f
            //   0fb6c3               | dec                 ecx
            //   01d0                 | inc                 ecx

        $sequence_20 = { 01c8 89c1 c1e91f ffc9 }
            // n = 4, score = 100
            //   01c8                 | movzx               eax, bl
            //   89c1                 | add                 eax, edx
            //   c1e91f               | add                 edx, eax
            //   ffc9                 | mov                 eax, 0x3ffffff

    condition:
        7 of them and filesize < 7946240
}

[TLP:WHITE] win_hive_w0 (20211222 | Hive v3 ransomware Windows/Linux/FreeBSD payload)

rule win_hive_w0 {
    meta:
        author = "rivitna"
        family = "ransomware.hive"
        description = "Hive v3 ransomware Windows/Linux/FreeBSD payload"
        source = "https://github.com/rivitna/Malware/blob/main/Hive/Hive.yar"
        severity = 10
        score = 100
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.hive"
        malpedia_rule_date = "20211222"
        malpedia_hash = ""
        malpedia_version = "20211222"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $h0 = { B? 03 52 DA 8D [6-12] 69 ?? 00 70 0E 00 [14-20]
                8D ?? 00 90 01 00 }
        $h1 = { B? 37 48 60 80 [4-12] 69 ?? 00 F4 0F 00 [2-10]
                8D ?? 00 0C 00 00 }
        $h2 = { B? 3E 0A D7 A3 [2-6] C1 E? ( 0F | 2F 4?)
                69 ?? 00 90 01 00 }

        $x0 = { C6 84 24 ?? 00 00 00 FF [0-14] 89 ?? 24 ?? 00 00 00 [0-6]
                89 ?? 24 ?? 0? 00 00 [0-20] C6 84 24 ?? 0? 00 00 34 }
        $x1 = { C6 44 24 ?? FF [0-14] 89 ?? 24 ?? [0-6] 89 ?? 24 ?? [0-12]
                C6 84 24 ?? 00 00 00 34 }

    condition:
        (((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
         (uint32(0) == 0x464C457F)) and
        (
            (2 of ($h*)) or (1 of ($x*))
        )
}

Download all Yara Rules

Hive Propose Change

References

Yara Rules

Hive