Defense Evasion
- GMER
- PCHunter
Hive is a ransomware family and ransomware-as-a-service operation that emerged in 2021 and became one of the most prolific enterprise-focused extortion threats of 2022.
Profile source: Mallory opens in a new tabHive
Hive is a ransomware family and ransomware-as-a-service operation that emerged in 2021 and became one of the most prolific enterprise-focused extortion threats of 2022. It is known for double-extortion attacks in which operators steal data before encrypting systems and then pressure victims with both operational disruption and threatened public disclosure. Hive has been repeatedly associated with attacks against healthcare organizations and has also appeared broadly across other sectors and geographies.
Hive intrusions have been linked to hands-on-keyboard post-compromise activity using legitimate and dual-use administration tools. Reported tradecraft associated with Hive-linked operations includes credential theft, use of remote administration software for persistence or access, lateral movement with PsExec and Remote Desktop, reconnaissance with common network-enumeration utilities, dumping of directory and registry data, and pre-encryption data exfiltration with tools such as Rclone. Some reporting also links Hive-related activity to brute-forced internet-exposed RDP, compromised remote-access pathways, and exploitation of public-facing applications, although initial access can vary by affiliate or operator.
Hive has been observed in both Windows and Linux environments, including references to Linux and ESXi-targeting lockers in the broader ransomware ecosystem. However, available reporting also notes that Hive’s ESXi locker does not show obvious code similarity to Babuk-derived ESXi families, indicating independent development rather than simple reuse of that leaked code base. Hive activity has additionally been associated with resilient infrastructure techniques such as fast flux.
The operation has been tied in public reporting and law-enforcement actions to Russian-linked cybercrime ecosystems and to individuals accused of participating in Hive deployments alongside other major ransomware programs. In early 2023, international law enforcement disrupted Hive infrastructure after infiltrating the group’s backend systems, significantly impacting the operation. Subsequent reporting has noted suspected code overlap between Hive and Hunters International, leading to speculation that the latter may have acquired or reused Hive tooling, though direct continuity claims remain contested.
Hive is best characterized as a major double-extortion ransomware threat that combined aggressive enterprise intrusion tradecraft with cross-platform targeting and affiliate-driven deployment patterns.
Ransomware.live
Reported operators
DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently.
Authorities say Matveev played a major role in the development and deployment of the Hive, LockBit and Babuk ransomware variants...
...delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.
MITRE ATT&CK
Reporting
Broadcom's threat research team has observed these tools being used across a wide range of ransomware families, including Akira, Beast, GodDamn, Hive, LockBit, Qilin, RansomHub, and Royal.
LockBit and Hive trade places because both produce encryption-heavy file operations.
Indeed, 2022 would have been even worse had the FBI not used their own deceptive operations to infiltrate the Hive ransomware group.
But public mockery (as with LockBit), and infiltration like the FBI did with Hive's ransomware network, can fracture trust among cyberthieves.
"Hive (January 2023) — Dismantled by the FBI after a months-long infiltration..."
"...maltrail ... indicated that the IP in question was associated with Hive ransomware"
In 2023, Matveev was indicted ... for his involvement in multiple ransomware operations, including Babuk, LockBit, and Hive...
WorldLeaks operates as a rebranded successor to Hunters International (linked to Hive ransomware), ditching file encryption for pure data exfiltration and leak threats via an extortion-as-a-service model.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.