Dark Web Profile: Hive Ransomware Group

Dark Web Profile: Hive Ransomware Group

December 7, 2021

Recently, on November 8, electronics retail giant Media Markt has suffered a ransomware attack with an initial ransom demand of $240 million, causing IT systems to shut down and store operations to be disrupted in Netherlands and Germany. 

It was the Hive ransomware group that carried out the attack. In today’s blog post we will try to summarize what is known so far about the Hive group.

Who is ‘Hive’?

With a statement from FBI officials on August 25, it was said that a newly formed ransomware group Hive ransomware group is attacking the health system in the USA. The Hive ransomware gang crashed the IT systems at Memorial Health System, disrupting healthcare and putting the lives of several patients at risk. First observed in June 2021, Hive ransomware operates as an affiliate-based ransomware service. 

The FBI noted that the Hive gang used multiple tactics, techniques, and procedures (TTP) to compromise targeted networks. The group is known to exploit various phishing traps with malicious attachments to access critical systems and use Remote Desktop Protocol (RDP) to move horizontally across the network. 

After encrypting critical files, Hive ransomware distributes two malicious scripts (hive.bat and shadow.bat) to perform cleanup after encryption. The group then threatens to leak the information it obtains on the dark websites HiveLeaks

“After compromising a victim network, Hive ransomware actors leak data and encrypt files on the network. The actors leave a ransom note on each affected directory on the victim’s system, which provides instructions on how to purchase the decryption software,” the FBI said in a statement. 

According to an analysis of the Hive group, they use spear-phishing emails with attachments to gain a foothold in the victim’s network. After Hive obtains the user’s network credentials, it laterally infects the network using Remote Desktop Protocol (RDP). 

How Does the Hive Group Work? 

To avoid anti-malware, Hive terminates computer backup and restore, antivirus and antispyware, and file copying. After encrypting files and saving them with a .hive extension, Hive creates batch files hive.bat and shadow.bat, which contain commands for the computer to delete the Hive executable, disc backup copies, or snapshots, and the batch files. This is a common technique used by malware to reduce available forensic evidence. 

Finally, Hive drops a ransom note, HOW_TO_DECRYPT.txt, into each affected directory. The notice explains that encrypted files are not decryptable without the master key, which is in the actors’ possession. In addition, the note contains the login details for the TOR website that the victim can use to pay the ransom, and it threatens to leak the victim’s sensitive data on the HiveLeaks TOR website.

In some attacks, in addition to offering live chat on their TOR website, the actors have called the victims directly and demanded a payment in return for the master key. Payment deadlines range from 2 to 6 days, but the actors prolonged the deadline after establishing communication with the victim company in some incidents. 

The message left by the attackers:

“Your network has been breached, and all data was encrypted. Personal data, financial reports, and important documents are ready to disclose. To decrypt all the data or prevent exfiltrated files from being disclosed at

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/, you will need to purchase our decryption software.”

The FBI has identified the following IOCs from previous Hive ransomware campaigns. Some of these IOCs are used by legitimate applications and are not malicious. The FBI recommends removing all applications that are not deemed essential for daily operations.

Hive Group Had Previous Attacks 

Their attack on the healthcare system was not the first act of the Hive Group. On June 14, Altus Group, a commercial real estate software solutions company, announced that its data was breached. 

The day before the announcement, the Altus group was affected by a cybersecurity breach. Communication systems such as the IT back office and email were taken offline at the time. 

Throughout subsequent updates, the company has yet to reveal whether any information has been leaked.

What Can Companies Do to Protect Themselves? 

-Do not click on unfamiliar files while checking your emails 

-Back up your data and keep a backup offline. 

-Make sure all applications in your operating system are up-to-date 

-Use up-to-date and multi-layered security software 

-Limit or turn off the remote desktop (ADP) protocol 

-Do not use simple passwords 

-Make sure to check for weaknesses that may occur in your firewalls. 

-If users connect to the company network from outside, they must be connected with a VPN. -Train your staff on cybersecurity

-To create competent teams in this regard within the company, to receive external support if it cannot be created internally

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Try for free