{
	"id": "e0016ab8-e109-4f10-bd4e-58275c15d6f4",
	"created_at": "2026-04-06T00:17:28.827298Z",
	"updated_at": "2026-04-10T03:21:10.067764Z",
	"deleted_at": null,
	"sha1_hash": "bc21633d75fb60f5026f6fd71da419c10be9424f",
	"title": "Ransomware Spotlight: Hive",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 466582,
	"plain_text": "Ransomware Spotlight: Hive\r\nArchived: 2026-04-05 22:01:31 UTC\r\nX\r\nOverview of Hive’s operations\r\nHive operations are more prolific than their leak site might suggest. HiveLeaks only publishes the list of victims that have\r\nnot settled the ransom, so it is tough to determine which — or how many — companies decided to pay the ransom. A\r\nreportopen on a new tab indicates that attack attempts by Hive affiliates hit an average of three companies per day since the\r\ngroup was first discovered in June 2021. The report also mentioned that security researchers who got access to information\r\ndirectly from the administrator panel of the Hive Tor site discovered that the number of enterprises whose systems had been\r\ncompromised have reached 355 from September to December 2021.\r\nIntelligence gathered by the researchersopen on a new tab further revealed that the founders of the group deliberately put\r\nsystems in place to achieve as much ease and transparency as possible particularly in the process of ransomware deployment\r\nand negotiations. Researchers also learned that the generation of malware versions by affiliates can be done within 15\r\nminutes, while negotiations are coursed through the Hive ransomware administrators who relay the message to the victims\r\nin a chat window that the affiliates can see.\r\nResearchers also shared that affiliates can see on the Hive administrator panel how much money was collected, the list of\r\ncompanies that paid, and those whose information was leaked.\r\nThe group’s emphasis on operational efficiency and transparency is key to enticing new affiliates. It suggests that the group\r\nis aiming for sustainability by creating an environment that is conducive to building a bigger and stronger affiliate base.\r\nOf note is that some enterprises complained about the decryption tool that Hive operators provided after settling the ransom.\r\nReportsopen on a new tab said it lacked proper functionality and claimed that the Master Boot Records of their virtual\r\nmachines were corrupted, rendering them incapable of booting.\r\nTop affected countries and industries\r\nThis section cites Trend Micro™ Smart Protection Network™ (SPN) data on Hive’s attempts to compromise organizations.\r\nOur detections show that Hive ransomware attack attempts against organizations were observed the most in South America,\r\nwith Argentina receiving the highest number followed by Brazil. The United States takes the third spot, while the rest are\r\nspread across Europe, Asia, and the Middle East.\r\nopen on a new tab\r\nFigure 1. 10 countries with the highest number of attack attempts per machine for Hive ransomware (August 1, 2021 to\r\nFebruary 28, 2022)\r\nSource: Trend Micro Smart Protection Network\r\nThe energy sector had the highest number of attack attempts at 186; healthcare came in second at 125, followed by the\r\nfinancial sector with 102 detections.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive\r\nPage 1 of 6\n\nopen on a new tab\r\nFigure 2. 10 industries with the highest number of attack attempts per machine for Hive ransomware (August 1, 2021 to\r\nFebruary 28, 2022)\r\nSource: Trend Micro Smart Protection Network\r\nBy breaking down the detections per month, our findings reveal that attack attempts peaked in November 2021 at 429. Hive\r\noperators were most active in the fourth quarter of 2021 as detections in December and October were the second and third\r\nhighest numbers, respectively.\r\nopen on a new tab\r\nFigure 3. Monthly breakdown of detections per machine for Hive ransomware (August 1, 2021 to February 28, 2022)\r\nSource: Trend Micro Smart Protection Network\r\nTargeted regions and sectors according to Hive’s leak site\r\nAn examination of the information that can be found on HiveLeaks reveals the number of successfully compromised\r\ncompanies that, as of this writing, have declined to pay the ransom. In our monitoring of their leak site from December 1,\r\n2021 to February 28, 2022, attacks were highest in North America at 45.2% followed by Europe at 29% and Latin America\r\nat 12.9%.\r\nopen on a new tab\r\nFigure 4. Regional distribution of Hive victims according to the group’s leak site (December 1, 2021 to February 28, 2022)\r\nEnterprises appear to be Hive’s preferred targets estimated at almost 40%. Their victims were from a wide range of sectors,\r\nwith technology at the top of the list having a victim count of 5. The healthcare and transportation sectors follow at 4 victims\r\neach. Other affected industries include construction, media and entertainment, professional services, retail, materials,\r\nautomotive, apparel and fashion.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive\r\nPage 2 of 6\n\nopen on a new tab\r\nFigure 5. Sector distribution of Hive victims according to the group’s leak site (December 1, 2021 to February 28, 2022)\r\nData observed in the same time frame showed that most of the attacks took place on weekdays as malicious activities on\r\nweekends comprise only 6.5%.\r\nExecution\r\nHive operators attempt to run the persistence technique for a Cobalt Strike beacon that can be used as a C\u0026C method to\r\naccomplish lateral movement once they intrude into the system. Right after the attempt, Hive operators start to unload or\r\nuninstall antivirus (AV) products in the system so they can proceed to the download and execution of hacking tools such as\r\nPCHunter, GMER, and TrojanSpy.DATASPY. They use these tools to unload other AV products as a tactic to evade\r\ndetection. We also observed the presence of WMI used to deploy uninstallation scripts and ransomware across the networks\r\nfor lateral movement.\r\nDefense Evasion, Discovery, and Credential Access\r\nWe observed the presence of PCHunter and GMER as their tools to discover and terminate services or processes to disable\r\nAV software. We also detected the use of TrojanSpy.DATASPY to gather information in the system such as machines in the\r\nnetwork and the presence of specific AV products. In another attack, the threat actors deployed KillAV to terminate several\r\nAV products, also to avoid detection.\r\nExfiltration\r\nOur detections showed that the Hive operators use 7-Zip toolnews article to archive stolen data for exfiltration. Moreover,\r\nthe gang abuses anonymous file-sharing services such as MEGASync, AnonFiles, SendSpace, and uFile to exfiltrate data.\r\nImpact\r\nThe ransomware payload proceeds with the encryption routine upon execution. The ransomware generates a random key\r\nthat is used to encrypt based on RTLGenRandom API, which will be initially saved on the device’s memory. The key is then\r\nused in what appears to be a custom implementation of the encryption process.\r\nThe key also encrypts through RSAopen on a new tab via GoLangopen on a new tab’s implementation of RSA encryption. It\r\naccomplishes the RSA encryption through a list of public keys embedded in the binary. It is then saved as .key. on the\r\nencrypted drive.\r\nThe generated key will then be wiped from memory, leaving the encryption key as the only copy of the key for decryption.\r\nMITRE tactics and techniques\r\nInitial\r\nAccess\r\nExecution Persistence\r\nDefense\r\nEvasion\r\nDiscovery\r\nLateral\r\nMovement\r\nCollection\r\nCommand\r\nand\r\nControl\r\nExfil\r\nT1566.001 -\r\nPhishing:\r\nSpear-phishing\r\nattachment\r\nArrives via\r\nT1106  - Native\r\nAPI\r\nUses native API\r\nto execute\r\nvarious\r\ncommands\r\n/routines\r\nT1053.005 -\r\nBoot or\r\nlogon\r\nautostart\r\nexecution\r\nScheduled\r\nTask/Job:\r\nT1562.001 -\r\n Impair\r\nDefenses:\r\nDisable or\r\nModify\r\nTools\r\nUses\r\nT1083 - File and\r\ndirectory discovery\r\nSearches for specific\r\nfiles and directories\r\nrelated to its\r\nencryption\r\nT1570 -\r\nLateral tool\r\ntransfer\r\nCan make use\r\nof RDP to\r\ntransfer the\r\nRansomware\r\nT1005 -\r\nData from\r\nlocal system\r\nMay make\r\nuse of RDP\r\nto manually\r\nsearch for\r\nT1105 -\r\nIngress Tool\r\nTransfer\r\nExecutes\r\nBitsAdmin\r\nCommand\r\nto deliver\r\nT156\r\nExfil\r\nweb\r\nMake\r\nsever\r\nparty\r\nsoftw\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive\r\nPage 3 of 6\n\nInitial\r\nAccess\r\nExecution Persistence\r\nDefense\r\nEvasion\r\nDiscovery\r\nLateral\r\nMovement\r\nCollection\r\nCommand\r\nand\r\nControl\r\nExfil\r\nphishing\r\nemails.\r\nT1190 -\r\nExploit\r\npublic-facing\r\napplication\r\nArrives via\r\nany the\r\nfollowing\r\nexploits:•\r\nCVE-2021-\r\n34473• CVE-2021-\r\n34523• CVE-2021-31207\r\nT1078 -\r\nValid\r\naccounts\r\nHas been\r\nreported to\r\nmake use of\r\ncompromised\r\naccounts to\r\naccess\r\nvictims via\r\nRDP\r\nT1059.003 -\r\nCommand and\r\nscripting\r\ninterpreter:\r\nWindows\r\nCommand Shell\r\nThe\r\nransomware\r\naccepts various\r\ncommand-line\r\narguments upon\r\nexecution.\r\nT1059.001 -\r\n Command and\r\nscripting\r\ninterpreter:\r\nPowerShell\r\nCobalt executes\r\na PowerShell\r\ncommand to run\r\nthe persistence\r\ntechnique.\r\nT1053.005 -\r\nScheduled\r\nTask/Job:\r\nScheduled\r\nTaskRegisters\r\nand executes\r\nmalicious tasks\r\nT1204 -  User\r\nexecution\r\nUser execution\r\nis needed to\r\ncarry out the\r\npayload from\r\nthe spear\r\nphishing\r\nlink/attachments\r\nT1047 - \r\nWindows\r\nManagement\r\nInstrument\r\nUsed WMI to\r\ndeploy\r\nuninstallation\r\nscripts and\r\nransomware.\r\nScheduled\r\nTask\r\nT1068 -\r\n Exploitation\r\nfor Privilege\r\nEscalation\r\nMakes use\r\nof CVE-2021-34523\r\nto escalate\r\nprivilege.\r\nseveral\r\ntools to\r\ndisable\r\nsecurity\r\nrelated\r\nsoftware by\r\nterminating\r\nthem\r\nT1018 - Remote\r\nsystem discovery\r\nMakes use of tools\r\nfor network scans\r\nT1057 - Process\r\ndiscovery\r\nDiscovers certain\r\nprocesses for\r\nprocess termination\r\nT1063 - Security\r\nsoftware discovery\r\nDiscovers security\r\nsoftware for\r\nreconnaissance and\r\ntermination\r\nT1049 - System\r\nNetwork\r\nConnections\r\nDiscovery\r\nUses\r\nTrojanSpy.DATASPY\r\nto gather\r\ninformation about\r\nthe connected\r\nmachines in the\r\nnetwork.\r\nT1135 - Network\r\nShare Discovery\r\nList all available\r\nmachines in the\r\nnetwork via SMB\r\nor tools within\r\nthe network\r\nT1021.002 -\r\nRemote\r\nservices:\r\nSMB/Windows\r\nadmin shares\r\nUses RDP to\r\ntransfer and\r\nexecute\r\nransomware\r\npayload and\r\nother tools.\r\nT1021.006 -\r\nRemote\r\nServices:\r\nWindows\r\nRemote\r\nManagement\r\nUses WMI to\r\nexecute and\r\ndeploy\r\nuninstallation\r\nscripts and the\r\nransomware\r\npayload.\r\nvaluable\r\nfiles or\r\ninformation\r\nT1560.001  -\r\nArchive\r\nCollected\r\nData:\r\nArchive via\r\nUtility\r\nUses a tool\r\nto archive\r\nstolen\r\ninformation\r\nfor\r\nexfiltration\r\nthe\r\nransomware\r\non other\r\nmachines in\r\nthe network\r\nto ex\r\nstole\r\ninfor\r\nSummary of malware, tools, and exploits used\r\nSecurity teams can watch out for the presence of the following malware tools and exploits that are typically used in Hive\r\nattacks:\r\nInitial Access Execution Discovery Lateral Movement Defense Evasion Exfiltration\r\nPhishing emails\r\nwith malicious\r\nPsExec\r\n3rd Party Tool\r\nTrojanSpy.DATASPY\r\nTrojan that collects AV\r\nPSExec\r\nCommand-line\r\nPCHunter\r\nThird\r\n7-Zip\r\nA file archive\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive\r\nPage 4 of 6\n\nInitial Access Execution Discovery Lateral Movement Defense Evasion Exfiltration\r\nattachments\r\nExoitpls:\r\nCVE-2021-\r\n34473\r\nPre-auth\r\npath\r\nconfusion\r\nvulnerability\r\nto bypass\r\naccess\r\ncontrol\r\nCVE-2021-\r\n34523\r\nPrivilege\r\nelevation\r\nvulnerability\r\nin the\r\nExchange\r\nPowerShell\r\nbackend\r\nCVE-2021-\r\n31207\r\nPost-auth\r\nremote code\r\nexecution\r\nvia arbitrary\r\nfile write\r\nto execute\r\nprocess or\r\ncommand-line\r\non a remote\r\ncomputer\r\nWMI\r\nAdministration\r\nfeature that\r\nprovides a\r\nuniform\r\nenvironment\r\nto access\r\nWindows\r\nsystem\r\ncomponents.\r\nThis was used\r\nfor remote\r\nexecution of\r\nfiles for lateral\r\nmovement.\r\nCobalt Strike\r\nrelated processes and\r\nservices running in the\r\nsystem as well as\r\nconnected machines\r\nwithin the network\r\nutility built for\r\nWindows to\r\nallow\r\nprograms to\r\nrun on remote\r\nmachines\r\nRDP\r\nSpread across\r\nmachines in\r\nthe network\r\nusing RDP\r\nconnection\r\nBitsAdmin\r\nCommand-line\r\ntool that is\r\nused to create\r\ndownload or\r\nupload jobs\r\nand monitor\r\ntheir progress\r\nWMI\r\nAdministration\r\nfeature that\r\nprovides a\r\nuniform\r\nenvironment\r\nto access\r\nWindows\r\nsystem\r\ncomponents.\r\nThis was used\r\nfor remote\r\nexecution of\r\nfiles for lateral\r\nmovement.\r\nparty tool\r\nthat can be\r\nused to\r\ndisable\r\nsecurity\r\ntools\r\nGMER\r\nThird\r\nparty tool\r\nthat can be\r\nused to\r\ndisable\r\nsecurity\r\ntools\r\nKillAV\r\nUsed to\r\nterminate\r\nAV\r\nprocesses\r\na high compr\r\nratio.\r\nMEGASync\r\nThird party c\r\nstorage tool a\r\nfor data exfilt\r\nuFile.io\r\nA free\r\nhostin\r\nwebsi\r\nwhere\r\npeople\r\nupload\r\nshare\r\nto oth\r\nusers\r\nAbuse\r\ndata\r\nexfiltr\r\nSendSpace\r\nThird party c\r\nstorage tool a\r\nfor data exfilt\r\nAnonFiles\r\nAn on\r\nfile sto\r\nprovid\r\nthat\r\nprovid\r\nanony\r\nworki\r\nenviro\r\nAbuse\r\ndata\r\nexfiltr\r\nRecommendations\r\nDespite being relatively new, Hive ransomware has already made its mark as one of the most prolific and aggressive\r\nransomware families today. Our detections of their malicious activities show that their operations are robust, thus providing\r\nan incentive for new affiliates to join them. Hive operators are also known to constantly refine and diversify their TTPs, so it\r\nis important for companies to stay vigilant and be well-informed of potential threats. An organization stands a better chance\r\nof addressing ransomware threats if they implement strong defenses early on.\r\nTo protect systems against similar threats, organizations can establish security frameworks that allocate resources\r\nsystematically for establishing a strong defense strategy against ransomware.\r\nHere are some best practices that organizations can consider:\r\nAudit and inventory\r\nTake an inventory of assets and data\r\nIdentify authorized and unauthorized devices and software\r\nAudit event and incident logs\r\nConfigure and monitor\r\nManage hardware and software configurations\r\nGrant admin privileges and access only when necessary to an employee’s role\r\nMonitor network ports, protocols, and services\r\nActivate security configurations on network infrastructure devices such as firewalls and routers\r\nEstablish a software allowlist that only executes legitimate applications\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive\r\nPage 5 of 6\n\nPatch and update\r\nConduct regular vulnerability assessments\r\nPerform patching or virtual patching for operating systems and applications \r\nUpdate software and applications to their latest versions\r\nProtect and recover\r\nImplement data protection, backup, and recovery measures\r\nEnable multifactor authentication (MFA)\r\nSecure and defend\r\nEmploy sandbox analysis to block malicious emails\r\nDeploy the latest versions of security solutions to all layers of the system, including email, endpoint, web, and\r\nnetwork\r\nDetect early signs of an attack such as the presence of suspicious tools in the system\r\nUse advanced detection technologies such as those powered by AI and machine learning\r\nTrain and test\r\nRegularly train and assess employees on security skills.\r\nConduct red-team exercises and penetration tests.\r\nA multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and\r\nnetwork). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.\r\nTrend Micro Vision One™products provides multilayered protection and behavior detection, which helps block\r\nquestionable behavior and tools before the ransomware can do any damage.\r\nTrend Micro Cloud One™ Workload Securityproducts protects systems against both known and unknown threats that\r\nexploit vulnerabilities. This protection is made possible through techniques such as virtual patching and machine\r\nlearning.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts employs custom sandboxing and advanced analysis\r\ntechniques to effectively block malicious emails, including phishing emails that can serve as entry points for\r\nransomware.\r\nTrend Micro Apex One™products offers next-level automated threat detection and response against advanced\r\nconcerns such as fileless threats and ransomware, ensuring the protection of endpoints.\r\nIndicators of Compromise (IOCs)\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page\r\n(Ctrl+V).\r\nImage will appear the same size as you see above.\r\nWe Recommend\r\nThe Industrialization of Botnets: Automation and Scale as a New Threat Infrastructurenews article\r\nComplexity and Visibility Gaps in Power Automatenews article\r\nCracking the Isolation: Novel Docker Desktop VM Escape Techniques Under WSL2news article\r\nAzure Control Plane Threat Detection With TrendAI Vision One™news article\r\nThe AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026predictions\r\nRansomware Spotlight: DragonForcenews article\r\nStay Ahead of AI Threats: Secure LLM Applications With Trend Vision Onenews article\r\nThe Road to Agentic AI: Navigating Architecture, Threats, and Solutionsnews article\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive\r\nhttps://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-hive"
	],
	"report_names": [
		"ransomware-spotlight-hive"
	],
	"threat_actors": [],
	"ts_created_at": 1775434648,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bc21633d75fb60f5026f6fd71da419c10be9424f.pdf",
		"text": "https://archive.orkl.eu/bc21633d75fb60f5026f6fd71da419c10be9424f.txt",
		"img": "https://archive.orkl.eu/bc21633d75fb60f5026f6fd71da419c10be9424f.jpg"
	}
}