Hive (ransomware)

Hive (also known as the Hive ransomware group) was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

In January 2023, following a joint US–German investigation involving 13 law enforcement agencies, the United States announced that the FBI had "hacked the hackers" over several months, resulting in seizure of the Hive ransomware group's servers, effectively shuttering the criminal enterprise. The Hive ransomware group had extorted over $100 million from about 1,500 victims in more than 80 countries when dismantled by law enforcement. The investigation continues, with the US State Department adding a $US10 million bounty for information linking Hive ransomware to any foreign government.

Method of operation
Hive employed a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. According to the Federal Bureau of Investigation (FBI), it functioned as affiliate-based ransomware, using multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access, and Remote Desktop Protocol (RDP) once a network was infiltrated. Using locker malware and operating as a RaaS platform, Hive used Double Extortion techniques, in which operators install locker malware to take the data of a victim entity, then encrypt it so that it becomes useless to the victims for conducting business. Group operators then threaten to publish the stolen data on its dark web Tor site – HiveLeaks – unless the ransom is paid. The group has also used "triple extortion" tactics, seeking to extort money from anyone affected by a data disclosure of the victim organization's data.

The Hive mainly targets energy, healthcare, financial, media, and education sectors, and became notorious for attacking and crippling critical infrastructure. According to cybersecurity firm Paloaltonetworks in late 2022, the ransomware drops two batch scripts: hive.bat, which tries to delete itself, then shadow.bat, which deletes any shadow copies of the system. It then adds a .hive extension to encrypted files, along with its ransom note, entitled "HOW_TO_DECRYPT.txt", which lists instructions for preventing data loss. A generated login credential is included to instigate online communications between the victim and Hive hackers, labelled as its "sales department". A Tor link directs the victim to a login page submit the provided credentials, which opens a chat room.

Emergence and growing profile
Hive ransomware first became apparent in June 2021. Two months later, ZDNet reported that Hive had attacked at least 28 healthcare organizations in the United States, including clinics and hospitals across Ohio and West Virginia. In August 2021, the FBI released urgent updates warning of the risks from Hive ransomware, as did INCIBE in Spain, the following January. Also in August 2021, the FBI released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang.

In December 2021, Group-IB Threat Intelligence analysts determined that the Hive ransomware group communicated in Russian, though without information regarding its operational location, and that, as of October 16, 2021, at least 355 companies had been victims of Hive ransomware during the previous six months, the majority being in the United States, with ransom obtained from over 100 victims undertaking to regain control of digital infrastructures. Hive's administrator panel showed that its affiliates had breached more than 350 organizations over four months with an average of three companies attacked every day since Hive operations were revealed in late June.

Chainalysis ranked Hive eighth on the list of highest ransomware revenue in February 2022. In July 2022, Malwarebytes ranked Hive as the third-most active ransomware group, noting that the group was evolving and that Microsoft had issued a warning stating that HIVE had upgraded the malware to the Rust programming language, upgrading to a more complex encryption method.

Conti links
According to Advanced Intelligent Systems expert Yelisey Boguslavskiy and BleepingComputer, Hive had links to Conti ransomware group since at least November 2021, with some Hive members working for both groups. According to Boguslavskiy, Hive was actively using the initial attack access provided by Conti.

In May 2022, BleepingComputer reported that Conti had partnered with Hive and several other well-known ransomware gangs, including HelloKitty, AvosLocker, BlackCat and BlackByte, with some of the Conti hackers migrating to these organizations, including Hive, though the rival group has denied having any connection with Conti despite which, once the process of closing operations began and its hackers reached Hive, it then began to employ the tactic of publishing leaked data on the deep web, just as Conti had.

Later in May, Conti announced that they would begin a shutdown process, days after the DOJ announced two indictments of an active Conti operator and Russian national on May 16, 2022, then partnered with Hive to attack the Costa Rica public health service and Costa Rican Social Security Fund (CCSS) the following week.

Unlike the Conti Group, Hive was not associated with direct support for the Russian invasion of Ukraine, even though the ransom payment to Hive is likely to be received by the same people within Conti who claimed the group's collective alignment with the Russian government. Boguslavskiy then told BleepingComputer that evidence of HIVE actively via both the initial attack accesses secured from Conti, and via the services of Conti's pen-testers.

Discovery of vulnerabilities and FBI infiltration
In February 2022, four researchers from Kookmin University in South Korea discovered a vulnerability in the Hive ransomware encryption algorithm, allowing them to obtain the master key and recover hijacked information. In May, a Cisco report indicated that Hive criminals demonstrated low security when revealing operational details, including regarding its encryption process, and employs any and all means to convince its victims to pay, including offering bribes to victims' negotiators after ransom is paid.

In July 2022, the FBI infiltrated Hive. Undercover Tampa, Florida Field Office agents acquired full access and acted as a subsidiary in the Hive network undetected for seven months, while gathering evidence and secretly generating decryption keys for victims to recover their data. The FBI worked with victims to identify Hive's targets, then entered Hive's systems after obtaining court orders and search warrants before eventual seizure of Hive's digital infrastructure, which its members used to communicate and carry out the attacks.

In November 2022, Cybersecurity and Infrastructure Security Agency (CISA) issued a Cybersecurity Advisory detailing Hive ransomware mitigation methods, noting that the group had, since June 2021, then victimized over 1,300 companies globally, and had acquired approximately US$100 million in ransom payments. Two months later, when dismantled by law enforcement, Hive had added 200 more companies as to victims in 80 countries.

Defeat in cyberspace
On January 26, 2023, United States Attorney General Merrick Garland personally announced that, in concert with law enforcement from 13 countries, including Europol and German and Dutch police agencies, Hive had been successfully infiltrated and dismantled through server seizures, after having obtained over 1000 decryption keys, which the agency had provided to 336 victims prior to shuttering the Hive digital infrastructure. The FBI investigation had uncovered two backend computer servers used by the group to store data in Los Angeles, which were seized. Deputy Attorney General Lisa Monaco explained the investigation as having legally "hacked the hackers". FBI director Christopher A. Wray reported that only about 20% of American victim companies had reported the breaches. No ransom proceeds were recovered and no arrests were made. The investigation continues. The same day, the US State Department issued notice of a $US10 million bounty for information linking Hive ransomware to foreign governments, under its Transnational Organized Crime Rewards Program (TOCRP).

2023 arrests
As part of an Europol investigation, on 21 November 2023 Ukraine authorities searched 30 objects in western Ukraine and apprehended 5 men, including the alleged leader of the group, a 32 year old. They confiscated an unspecified amount of bitcoins equivalent to a six-figure amount of euros from one of the suspects. Europol stated that additional suspects were still under investigation.

March 2021—CNA Insurance
CNA paid more than $40 million in late March to regain control of its network after a Hive ransomware attack. The Chicago-based company paid the hackers about two weeks after a trove of company data was stolen, and CNA officials were locked out of their network. In 2022, it was reported to be the largest disclosed ransomware payment at that time.

The insurer stated that its investigation concluded that the hackers responsible for the cyberattack were from a group called Phoenix. They had used malware called Phoenix Locker, a variation of the Hades ransomware used by Russian cybercriminal group Evil Corp.

August 2021—Memorial Health System
Memorial Healthcare System was forced to have its hospitals use paper records, cancel procedures, and refer patients to other non-compromised facilities. The organization paid ransom to Hive to regain access to its systems.

April 2022—Microsoft Exchange servers
Investigation by cybersecurity firm revealed, in April 2022, that an affiliate of the Hive ransomware group was targeting Microsoft Exchange servers with vulnerability to ProxyShell security issues, deploying a variety of backdoors, such as Cobalt Strike beacon, subsequently executing network reconnaissance to steal administrator account credentials, exfiltrate valuable data and deploy the file-encrypting payload.

May 2022—Navarre public institutions
Also in May 2022, Hive attacked the Community of Navarra, Spain, forcing a hundred institutions to use pen and paper while systems were recovered.

May 2022—Bank of Zambia
When Hive attacked the Bank of Zambia in May 2022, it refused to pay the ransom, stating that it had means to recover its systems, and posted a link to a dick pic on the extortionists' chat.

May–June 2022—Costa Rica
Conti announced that they would begin a shutdown process days after the DOJ announced its two indictments of an active Conti operator and Russian national on May 16, 2022. After the Conti digital infrastructure was reset on May 19, it became evident that Conti, claiming a goal of overthrowing the government, partnered with Hive to attack the Costa Rica public health service and Costa Rican Social Security Fund (CCSS). On May 31 at about 2:00 am (UTC-6:00), the Costa Rican Social Security Fund (CCSS) detected anomalous information flows in its systems and immediately proceeded to turn off all its critical systems, including the Single Digital Health File (Expediente Digital Único en Salud, EDUS) and the Centralized Collection System. Some printers in the institution printed messages with random codes or characters, while others printed default instructions from the Hive ransomware group on how to regain access to systems. During the attack, it appeared that Hive alone was responsible for taking down 800 government-run servers and thousands of user terminals. CCSS President Álvaro Ramos Chaves stated that databases with sensitive information were not compromised, though at least 30 of the institution's 1,500 servers had been contaminated with ransomware.

August 2022—Bell Technical Solutions
Bell Canada telecommunications company subsidiary Bell Technical Solutions was attacked by Hive ransomware in August 2022. Hive leaked the company's stolen data.

November 2022—Intersport
Reported in December, Swiss sporting goods maker Intersport, with over 700 outlets, was breached by Hive in November, with details of the breach seen only on the dark web, according to French-language media outlet Numerama. Hive demanded that the company pay an undisclosed amount the same day. A sample file allegedly leaked on the dark web by Hive and scrutinized by Numerama contains passports, payslips, and other personal information regarding Intersport customers, which is seen as common practice among ransomware gangs. Typically, the ransomware gang locks or encrypts all company data prior to threatening to publish it online if ransom demands are not met.