{
	"id": "a98d7acd-f557-482d-95d7-b5b18945d7d6",
	"created_at": "2026-04-06T01:31:53.629361Z",
	"updated_at": "2026-04-10T13:11:31.716093Z",
	"deleted_at": null,
	"sha1_hash": "daaa3b3564cc2d530c66435a02ee351d83340cda",
	"title": "Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1155407,
	"plain_text": "Hive Attacks | Analysis of the Human-Operated Ransomware Targeting\r\nHealthcare - SentinelLabs\r\nBy Jim Walter\r\nPublished: 2021-08-23 · Archived: 2026-04-06 01:16:51 UTC\r\nBy Jim Walter \u0026 Juan Andres Guerrero-Saade\r\nExecutive Summary\r\nHive is a double-extortion ransomware group that first appeared in June 2021.\r\nThe group is notable in its undiscerning choice of targets, having no limits when it comes to healthcare providers and\r\nhospitals, as evidenced in a recent attack on Memorial Health System hospitals in Ohio.\r\nHive ransomware is written in Go to take advantage of the language’s concurrency features to encrypt files faster.\r\nThis report offers an overview of Hive TTPs as well as a reverse engineering deep dive into the ransomware\r\npayloads.\r\nHive remains active with as many as 30 victim companies listed on its Hive Leaks onion site at the time of writing.\r\nBackground\r\nWhile many active ransomware groups have committed to forgoing attacks on medical targets in deference to the current\r\nglobal situation, Hive is not one of them. On August 15, 2021, news broke of a Hive campaign against Memorial Health\r\nSystem, an Ohio healthcare provider. As a result, the hospital was forced to advise some patients to seek treatment at\r\nseparate facilities.\r\nWhile some ransomware attacks hitting public health and critical infrastructure targets can be the result of a shotgun\r\napproach to targetting – mass phishing campaigns that execute malware blindly on victim devices without awareness of the\r\nvictim environment – that is not the case with Hive. This is a human-operated ransomware attack designed to take input\r\nfrom the command line, indicating the attackers are both aware of the environment and tailoring their attacks for maximum\r\nimpact.\r\nMemorial Health Systems open statement on ransomware attack\r\nWho is Hive?\r\nhttps://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/\r\nPage 1 of 8\n\nHive or “HiveLeaks” is a relatively new ransomware outfit that made its appearance on the scene in late June, 2021. Hive is\r\nyet another double extortion group, making their money off of a two-pronged attack: exfiltrating sensitive data before\r\nlocking up the victims’ systems. This allows them to pressure the victim into paying greater sums than a conventional\r\nransomware attack as they also face the threat of a mass leak of sensitive data. Hive’s schemes have proven successful so far\r\nas multiple leaks are currently posted on their victim blog. As of the time of writing, there are 30 companies currently named\r\non the HiveLeaks site.\r\nHiveLeaks site showing the timer before releasing victim files\r\nWe can’t put the toothpaste back in the tube for Memorial Health Systems, but we can at least contribute a breakdown of the\r\nHive operators’ preferred techniques and a deep dive into their ransomware toolkit to help other potential victims.\r\nTechnical Analysis\r\nInitial acces can vary. Cobalt Strike implants are most often the tool of choice. They are delivered via phishing or emails in\r\norder to establish initial access. These beacons maintain persistence and allow the operators to expand their reach within the\r\ncompromised environment. They are also used to launch the Hive payloads.\r\nRecent campaigns opt for the use of ConnectWise. ConnectWise is a legitimate commercial remote administration tool that\r\nhas been abused by multiple ransomware operators in recent years. This allows for persistence and management of their\r\nmalware in environments where Cobalt Strike hasn’t been successful.\r\nOnce inside, attackers will attempt to dump credentials by way of consvcs.dll (MinDump) though rundll32.exe :\r\nWindowssystem32cmd.exe /C rundll32.exe\r\nWindowsSystem32comsvcs.dll MinDump 752 lsass.dmp full\r\nAdditionally, WDigest may be manipulated to allow for the caching of cleartext credential data:\r\nWindowssystem32cmd.exe /C reg add\r\nHKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v\r\nUseLogonCredential /t REG_DWORD /d 1 \u0026\u0026 gpupdate /force\r\nhttps://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/\r\nPage 2 of 8\n\nAdditional tools like ADRecon may be used to further understand and traverse the compromised Active Directory (AD)\r\nenvironment. ADRecon is an open-source tool designed to do just that– to map, traverse and enumerate an AD environment.\r\nThe Hive Payload\r\nWhile the tools, techniques, and procedures mentioned above are fairly standard for ransomware groups these days, Hive\r\nutilizes their own closed-source ransomware. The payloads are written in Go and packed with UPX. After unpacking, the\r\nransomware itself is over 2MB in size owing to the way Go packages statically-link all dependencies to create a reliably\r\nportable executable.\r\nThe developers are taking advantage of some of the native benefits of Go, particularly the ability to implement easy and\r\nreliable concurrency. On the other hand, Go is known for enabling easy cross-compilation across different operating systems\r\nbut the manner in which Hive implements its functionality makes it Windows-specific, at this time.\r\nThe ransomware is designed to take input from the command line, indicating that it’s meant to be run directly by an operator\r\nor a script containing the desired parameters. The available flags are as follows.\r\nFlags used by Hive Ransomware\r\nThese flags are largely self-explanatory with the exception of the final option, no-cleanpollDesc. This refers to a final phase\r\nin the ransomware’s functionality that looks for a file named  swap.tmp in all logical drives and deletes it before the\r\nransomware exits. The developers refer to this as ‘cleaning space’. At this time we don’t know what this file does, whether\r\nit’s a component generated during their operations, a native Windows file, or perhaps a reference to incomplete cross-platform functionality intended for future builds.\r\nGo malware is usually considered difficult to reverse engineer, primarily due to the wealth of tangentially-related imported\r\ncode baked into every executable. It’s important to isolate the code contributed by the malware developers. In this case, Hive\r\ndevs contributed four packages orchestrated by the main() function: encryptor, keys, winutils, and config.\r\nCustom packages under ‘google.com’ parent directory\r\nhttps://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/\r\nPage 3 of 8\n\nCursory examination might miss these as they’re housed under a parent package named google.com, perhaps to give the\r\nappearance that these are standard packages.\r\nThe main function parses the flags provided by the operator and before initializing the ransomware functionality under\r\nencryptor.NewApp() . First it generates and exports the encryption keys and generates the ransom note. It directs the victim\r\nto a password-protected Onion domain:\r\nhttp:\r\nIt also warns the victim of the impending disclosure of their stolen data at the Hive Leaks site:\r\nhttp:\r\nThe main functionally is housed under encryptor.(*App).Run() , which does the following:\r\n1. App.ExportKeys() wraps around standard go crypto functions, which it uses to generate RSA keys. A key file is\r\nexported.\r\n2. MountPoints() enumerates different types of drives and appends them to a slice (a dynamically-sized array in Go).\r\nThis includes native logical drives, removable drives, and remote shares.\r\n3. Based on the kill flag, the malware proceeds to kill processes matching the regex provided. If no custom value is\r\nprovided, the following default is used:\r\n\"bmr|sql|oracle|postgres|redis|vss|backup|sstp\"\r\n4. Based on the stop flag, the malware connects to the Windows service control manager and proceeds to stop services\r\nmatching the regex provided.\r\n5. The malware creates a batch file to self-delete with the filename hive.bat , removing its own components from the\r\ndisk via a new process.\r\ntimeout 1 || sleep 1\r\ndel \"C:Usersadmin1Desktophmod4.exe\"\r\nif exist \"C:Usersadmin1Desktophmod4.exe\" goto Repeat\r\ndel \"hive.bat\"\r\n6. It creates a batch file to delete shadow copies under the filename shadow.bat and executes it as a separate process.\r\nvssadmin.exe delete shadows /all /quiet\r\ndel shadow.bat\r\n7. In order to take advantage of Go’s concurrency features, the Hive devs run a Notify() function that is meant to\r\nwatch the WaitGroup that keeps track of the parallel threads. As long as there are threads pending, this function will\r\nkeep the program running.\r\n8. Now onto the real business of ransomware. ScanFiles() will populate a list of absolute filepaths fed into a channel\r\n(a queue of sorts). EncryptFiles() will then spawn threads that each take a file from that queue and encrypt it. This\r\nconcurrency feature is the main advantage of writing this ransomware in Go and allows for much faster file\r\nencryption.\r\n9. Finally, the devs make sure to erase the encryption key from memory.\r\nRansom notes are deposited into each folder containing encrypted files (skipping the C:windows ) directory.\r\nhttps://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/\r\nPage 4 of 8\n\nThe ‘HOW_TO_DECRYPT.TXT’ ransom note\r\nThe ransom note instructs victims to visit the Hive portal via TOR and login with their assigned unique ID to continue the\r\npayment process.\r\nHive Victim Portal\r\nEach infection campaign is assigned unique credentials available in the ransom note. This portal leads the victim to the\r\nstandard ransomware ‘support’ area where they can upload freebie test files, communicate with their attackers, and receive\r\ntheir decryptor should they choose to pay (which, in an ideal world, they shouldn’t).\r\nhttps://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/\r\nPage 5 of 8\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nConclusion\r\nAs these attacks continue to escalate and become more egregious, the need for true attack ‘prevention’ is all the more\r\ncritical. While well-maintained and tested backup strategies are a must, they are not enough in these double-extortion cases.\r\nOnce executed, most modern ransomware will go after backup and storage volumes in fairly smart ways. Many have even\r\nevolved to target specific NAS devices and platforms. Some groups will bypass the encryption phase altogether and opt for\r\npilfering data to openly extort victims with. While the latter scenario may seem preferable due to a lack of disruption, the\r\nreputational damage, potential liability, and threat to business viability remains. Hence our emphasis on prevention.\r\nWe urge all defenders to explore and embrace modern endpoint protection technologies that go beyond static checks, basic\r\nsignatures, and other outdated components. Contextual awareness and automated behavioral classification are among the\r\nmost powerful weapons defenders should avail themselves of.\r\nIndicators of Compromise\r\nFILE HASHES\r\nSHA1\r\n67f0c8d81aefcfc5943b31d695972194ac15e9f2\r\nedba1b73ddd0e32784ae21844c940d7850531b82\r\n2877b32518445c09418849eb8fb913ed73d7b8fb\r\ncd8e4372620930876c71ba0a24e2b0e17dcd87c9\r\neaa2e1e2cb6c7b6ec405ffdf204999853ebbd54a\r\n0f9484948fdd1b05bad387b14b27dc702c2c09ed\r\ne3e8e28a70cdfa2164ece51ff377879a5151abdf\r\n9d336b8911c8ffd7cc809e31d5b53796bb0cc7bb\r\n1cc80ad88a022c429f8285d871f48529c6484734\r\n3b40dbdc418d2d5de5f552a054a32bfbac18c5cc\r\n2f3273e5b6739b844fe33f7310476afb971956dd\r\n7777771aec887896be773c32200515a50e08112a\r\nhttps://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/\r\nPage 6 of 8\n\n5dbe3713b309e6ecc208e2a6c038aeb1762340d4\r\n480db5652124d4dd199bc8e775539684a19f1f24\r\nDc0ae41192272fda884a1a2589fe31d604d75af2\r\nHive.bat\r\nC9471adc8db180a7da5a56966b156b440483856f\r\nShadow.bat\r\n4714f1e6bb75a80a8faf69434726d176b70d7bd8\r\nSHA256\r\na0b4e3d7e4cd20d25ad2f92be954b95eea44f8f1944118a3194295c5677db749\r\n50ad0e6e9dc72d10579c20bb436f09eeaa7bfdbcb5747a2590af667823e85609\r\n5ae51e30817c0d08d03f120539aedc31d094b080eb70c0691bbfbaa4ec265ef3\r\n77a398c870ad4904d06d455c9249e7864ac92dda877e288e5718b3c8d9fc6618\r\ne1a7ddbf735d5c1cb9097d7614840c00e5c4d5107fa687c0ab2a2ec8948ef84e\r\ned614cba30f26f90815c28e189340843fab0fe7ebe71bb9b4a3cb7c78ff8e3d2\r\nc5fe23c626413a18cba8fb4ea93df81529c85f470577fb9c2336d6b692689d9d\r\n88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1\r\n2f7d37c22e6199d1496f307c676223dda999c136ece4f2748975169b4a48afe5\r\nfdbc66ebe7af710e15946e1541e2e81ddfd62aa3b35339288a9a244fb56a74cf\r\n1e21c8e27a97de1796ca47a9613477cf7aec335a783469c5ca3a09d4f07db0ff\r\nbf7bc94506eb72daec1d310ba038d9c3b115f145594fd271b80fbe911a8f3964\r\nc04509c1b80c129a7486119436c9ada5b0505358e97c1508b2cfb5c2a177ed11\r\n612e5ffd09ca30ca9488d802594efb5d41c360f7a439df4ae09b14bce45575ec\r\n0df750bf15895d410c3f6ce45279ab0329c5c723af38b99aadc9a60bcdc9a71d\r\n5954558d43884da2c7902ddf89c0cf7cd5bf162d6feefe5ce7d15b16767a27e5\r\nHive.bat\r\n93852dbd3a977cf2662b0c4db26b627736ba51c0df627eb36b41fdbde093c3c3\r\nShadow.bat\r\nD158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8\r\nCOMMUNICATIONS\r\nCobalt Beacon: 176.123.8.228\r\nMITRE ATT\u0026CK\r\nT1574.001 – Hijack Execution Flow: DLL Search Order Hijacking\r\nTA0005 – Defense Evasion\r\nTA0004 – Privilege Escalation\r\nT1486 – Data Encrypted for Impact\r\nT1027.002 – Obfuscated Files or Information: Software Packing\r\nT1003.001 – OS Credential Dumping: LSASS Memory\r\nT1007 – System Service Discovery\r\nT1059 – Command and Scripting Interpreter\r\nT1059.001 – Command and Scripting Interpreter: PowerShell\r\nT1059.003 – Command and Scripting Interpreter: Windows Command Shell\r\nT1490 – Inhibit System Recovery\r\nhttps://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/\r\nPage 7 of 8\n\nSource: https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/\r\nhttps://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/"
	],
	"report_names": [
		"hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare"
	],
	"threat_actors": [],
	"ts_created_at": 1775439113,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/daaa3b3564cc2d530c66435a02ee351d83340cda.pdf",
		"text": "https://archive.orkl.eu/daaa3b3564cc2d530c66435a02ee351d83340cda.txt",
		"img": "https://archive.orkl.eu/daaa3b3564cc2d530c66435a02ee351d83340cda.jpg"
	}
}