Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information. Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).
The method of initial intrusion will depend on which affiliate targets the network. Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols [T1133]. In some cases, Hive actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE) CVE-2020-12812. This vulnerability enables a malicious cyber actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.
Hive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments [T1566.001] and by exploiting the following vulnerabilities against Microsoft Exchange servers [T1190]:
- CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Vulnerability
- CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-34523 - Microsoft Exchange Server Privilege Escalation Vulnerability
After gaining access, Hive ransomware attempts to evade detention by executing processes to:
- Identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption [T1562].
- Stop the volume shadow copy services and remove all existing shadow copies via
vssadmin on command line or via PowerShell [T1059] [T1490]. - Delete Windows event logs, specifically the System, Security and Application logs [T1070].
Prior to encryption, Hive ransomware removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry [T1112].
Hive actors exfiltrate data likely using a combination of Rclone and the cloud storage service
During the encryption process, a file named
The ransom note also threatens victims that a public disclosure or leak site accessible on the TOR site, “HiveLeaks”, contains data exfiltrated from victim organizations who do not pay the ransom demand (see figure 1 below). Additionally, Hive actors have used anonymous file sharing sites to disclose exfiltrated data (see table 1 below).
https://mega[.]nz |
https://send.exploit[.]in |
https://ufile[.]io |
https://www.sendspace[.]com |
https://privatlab[.]net |
https://privatlab[.]com |
Once the victim organization contacts Hive actors on the live chat panel, Hive actors communicate the ransom amount and the payment deadline. Hive actors negotiate ransom demands in U.S. dollars, with initial amounts ranging from several thousand to millions of dollars. Hive actors demand payment in Bitcoin.
Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment.
Indicators of Compromise
Threat actors have leveraged the following IOCs during Hive ransomware compromises. Note: Some of these indicators are legitimate applications that Hive threat actors used to aid in further malicious exploitation. FBI, CISA, and HHS recommend removing any application not deemed necessary for day-to-day operations. See tables 2–3 below for IOCs obtained from FBI threat response investigations as recently as November 2022.
Known IOCs - Files |
HOW_TO_DECRYPT.txt typically in directories with encrypted files |
*.key typically in the root directory, i.e., C:\ or /root |
hive.bat |
shadow.bat |
asq.r77vh0[.]pw - Server hosted malicious HTA file |
asq.d6shiiwz[.]pw - Server referenced in malicious regsvr32 execution |
asq.swhw71un[.]pw - Server hosted malicious HTA file |
asd.s7610rir[.]pw - Server hosted malicious HTA file |
Windows_x64_encrypt.dll |
Windows_x64_encrypt.exe |
Windows_x32_encrypt.dll |
Windows_x32_encrypt.exe |
Linux_encrypt |
Esxi_encrypt |
Known IOCs – Events |
System, Security and Application Windows event logs wiped |
Microsoft Windows Defender AntiSpyware Protection disabled |
Microsoft Windows Defender AntiVirus Protection disabled |
Volume shadow copies deleted |
Normal boot process prevented |
Known IOCs – Logged Processes |
wevtutil.exe cl system |
wevtutil.exe cl security |
wevtutil.exe cl application |
vssadmin.exe delete shadows /all /quiet |
wmic.exe SHADOWCOPY /nointeractive |
wmic.exe shadowcopy delete |
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
bcdedit.exe /set {default} recoveryenabled no |
84.32.188[.]57 | 84.32.188[.]238 |
93.115.26[.]251 | 185.8.105[.]67 |
181.231.81[.]239 | 185.8.105[.]112 |
186.111.136[.]37 | 192.53.123[.]202 |
158.69.36[.]149 | 46.166.161[.]123 |
108.62.118[.]190 | 46.166.161[.]93 |
185.247.71[.]106 | 46.166.162[.]125 |
5.61.37[.]207 | 46.166.162[.]96 |
185.8.105[.]103 | 46.166.169[.]34 |
5.199.162[.]220 | 93.115.25[.]139 |
5.199.162[.]229 | 93.115.27[.]148 |
89.147.109[.]208 | 83.97.20[.]81 |
5.61.37[.]207 | 5.199.162[.]220 |
5.199.162[.]229; | 46.166.161[.]93 |
46.166.161[.]123; | 46.166.162[.]96 |
46.166.162[.]125 | 46.166.169[.]34 |
83.97.20[.]81 | 84.32.188[.]238 |
84.32.188[.]57 | 89.147.109[.]208 |
93.115.25[.]139; | 93.115.26[.]251 |
93.115.27[.]148 | 108.62.118[.]190 |
158.69.36[.]149/span> | 181.231.81[.]239 |
185.8.105[.]67 | 185.8.105[.]103 |
185.8.105[.]112 | 185.247.71[.]106 |
186.111.136[.]37 | 192.53.123[.]202 |
MITRE ATT&CK TECHNIQUES
See table 4 for all referenced threat actor tactics and techniques listed in this advisory.
Initial Access | ||
Technique Title | ID | Use |
External Remote Services | Hive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols. | |
Exploit Public-Facing Application | Hive actors gain access to victim network by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-42321. | |
Phishing | Hive actors gain access to victim networks by distributing phishing emails with malicious attachments. | |
Execution | ||
Technique Title | ID | Use |
Command and Scripting Interpreter | Hive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or PowerShell. | |
Defense Evasion | ||
Technique Title | ID | Use |
Indicator Removal on Host | Hive actors delete Windows event logs, specifically, the System, Security and Application logs. | |
Modify Registry | Hive actors set registry values for DisableAntiSpyware and DisableAntiVirus to 1. | |
Impair Defenses | Hive actors seek processes related to backups, antivirus/anti-spyware, and file copying and terminates those processes to facilitate file encryption. | |
Exfiltration | ||
Technique Title | ID | Use |
Transfer Data to Cloud Account | Hive actors exfiltrate data from victims, using a possible combination of Rclone and the cloud storage service Mega.nz. | |
Impact | ||
Technique Title |
| Use |
Data Encrypted for Impact | Hive actors deploy a ransom note HOW_TO_DECRYPT.txt into each affected directory which states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered. | |
Inhibit System Recovery | Hive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin via command line or PowerShell. |
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
As of November 2022, Hive ransomware actors have victimized over 1,300 companies worldwide, receiving approximately US$100 million in ransom payments, according to FBI information. Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks. From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).
The method of initial intrusion will depend on which affiliate targets the network. Hive actors have gained initial access to victim networks by using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols [T1133]. In some cases, Hive actors have bypassed multifactor authentication (MFA) and gained access to FortiOS servers by exploiting Common Vulnerabilities and Exposures (CVE) CVE-2020-12812. This vulnerability enables a malicious cyber actor to log in without a prompt for the user’s second authentication factor (FortiToken) when the actor changes the case of the username.
Hive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments [T1566.001] and by exploiting the following vulnerabilities against Microsoft Exchange servers [T1190]:
- CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Vulnerability
- CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-34523 - Microsoft Exchange Server Privilege Escalation Vulnerability
After gaining access, Hive ransomware attempts to evade detention by executing processes to:
- Identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption [T1562].
- Stop the volume shadow copy services and remove all existing shadow copies via
vssadmin on command line or via PowerShell [T1059] [T1490]. - Delete Windows event logs, specifically the System, Security and Application logs [T1070].
Prior to encryption, Hive ransomware removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry [T1112].
Hive actors exfiltrate data likely using a combination of Rclone and the cloud storage service
During the encryption process, a file named
The ransom note also threatens victims that a public disclosure or leak site accessible on the TOR site, “HiveLeaks”, contains data exfiltrated from victim organizations who do not pay the ransom demand (see figure 1 below). Additionally, Hive actors have used anonymous file sharing sites to disclose exfiltrated data (see table 1 below).
https://mega[.]nz |
https://send.exploit[.]in |
https://ufile[.]io |
https://www.sendspace[.]com |
https://privatlab[.]net |
https://privatlab[.]com |
Once the victim organization contacts Hive actors on the live chat panel, Hive actors communicate the ransom amount and the payment deadline. Hive actors negotiate ransom demands in U.S. dollars, with initial amounts ranging from several thousand to millions of dollars. Hive actors demand payment in Bitcoin.
Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment.
Indicators of Compromise
Threat actors have leveraged the following IOCs during Hive ransomware compromises. Note: Some of these indicators are legitimate applications that Hive threat actors used to aid in further malicious exploitation. FBI, CISA, and HHS recommend removing any application not deemed necessary for day-to-day operations. See tables 2–3 below for IOCs obtained from FBI threat response investigations as recently as November 2022.
Known IOCs - Files |
HOW_TO_DECRYPT.txt typically in directories with encrypted files |
*.key typically in the root directory, i.e., C:\ or /root |
hive.bat |
shadow.bat |
asq.r77vh0[.]pw - Server hosted malicious HTA file |
asq.d6shiiwz[.]pw - Server referenced in malicious regsvr32 execution |
asq.swhw71un[.]pw - Server hosted malicious HTA file |
asd.s7610rir[.]pw - Server hosted malicious HTA file |
Windows_x64_encrypt.dll |
Windows_x64_encrypt.exe |
Windows_x32_encrypt.dll |
Windows_x32_encrypt.exe |
Linux_encrypt |
Esxi_encrypt |
Known IOCs – Events |
System, Security and Application Windows event logs wiped |
Microsoft Windows Defender AntiSpyware Protection disabled |
Microsoft Windows Defender AntiVirus Protection disabled |
Volume shadow copies deleted |
Normal boot process prevented |
Known IOCs – Logged Processes |
wevtutil.exe cl system |
wevtutil.exe cl security |
wevtutil.exe cl application |
vssadmin.exe delete shadows /all /quiet |
wmic.exe SHADOWCOPY /nointeractive |
wmic.exe shadowcopy delete |
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures |
bcdedit.exe /set {default} recoveryenabled no |
84.32.188[.]57 | 84.32.188[.]238 |
93.115.26[.]251 | 185.8.105[.]67 |
181.231.81[.]239 | 185.8.105[.]112 |
186.111.136[.]37 | 192.53.123[.]202 |
158.69.36[.]149 | 46.166.161[.]123 |
108.62.118[.]190 | 46.166.161[.]93 |
185.247.71[.]106 | 46.166.162[.]125 |
5.61.37[.]207 | 46.166.162[.]96 |
185.8.105[.]103 | 46.166.169[.]34 |
5.199.162[.]220 | 93.115.25[.]139 |
5.199.162[.]229 | 93.115.27[.]148 |
89.147.109[.]208 | 83.97.20[.]81 |
5.61.37[.]207 | 5.199.162[.]220 |
5.199.162[.]229; | 46.166.161[.]93 |
46.166.161[.]123; | 46.166.162[.]96 |
46.166.162[.]125 | 46.166.169[.]34 |
83.97.20[.]81 | 84.32.188[.]238 |
84.32.188[.]57 | 89.147.109[.]208 |
93.115.25[.]139; | 93.115.26[.]251 |
93.115.27[.]148 | 108.62.118[.]190 |
158.69.36[.]149/span> | 181.231.81[.]239 |
185.8.105[.]67 | 185.8.105[.]103 |
185.8.105[.]112 | 185.247.71[.]106 |
186.111.136[.]37 | 192.53.123[.]202 |
MITRE ATT&CK TECHNIQUES
See table 4 for all referenced threat actor tactics and techniques listed in this advisory.
Initial Access | ||
Technique Title | ID | Use |
External Remote Services | Hive actors gain access to victim networks by using single factor logins via RDP, VPN, and other remote network connection protocols. | |
Exploit Public-Facing Application | Hive actors gain access to victim network by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-42321. | |
Phishing | Hive actors gain access to victim networks by distributing phishing emails with malicious attachments. | |
Execution | ||
Technique Title | ID | Use |
Command and Scripting Interpreter | Hive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin on command line or PowerShell. | |
Defense Evasion | ||
Technique Title | ID | Use |
Indicator Removal on Host | Hive actors delete Windows event logs, specifically, the System, Security and Application logs. | |
Modify Registry | Hive actors set registry values for DisableAntiSpyware and DisableAntiVirus to 1. | |
Impair Defenses | Hive actors seek processes related to backups, antivirus/anti-spyware, and file copying and terminates those processes to facilitate file encryption. | |
Exfiltration | ||
Technique Title | ID | Use |
Transfer Data to Cloud Account | Hive actors exfiltrate data from victims, using a possible combination of Rclone and the cloud storage service Mega.nz. | |
Impact | ||
Technique Title |
| Use |
Data Encrypted for Impact | Hive actors deploy a ransom note HOW_TO_DECRYPT.txt into each affected directory which states the *.key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered. | |
Inhibit System Recovery | Hive actors looks to stop the volume shadow copy services and remove all existing shadow copies via vssadmin via command line or PowerShell. |