Home / Explore our latest insights / The rise of Hive, a growing threat to organisations everywhere

Published: 1st March 2023 | In: Threat Intelligence & Guidance

Cyber security analysts track dozens of cybercriminal groups and nation state actors worldwide to understand what they do and how they do it, studying their tactics, techniques and procedures (TTPs) and how they change over time. Several gangs are more prolific than others and a few have become infamous in the last few years because the mainstream media has reported more frequently about the damage they do to the private and public sector, the harm this causes to citizens and the financial damage they cause.

Hive is one such gang. Active since around June 2021, following the break-up of the Conti group, it made its name by successfully targeting a number of healthcare providers in the US, then moving on to schools and colleges, government agencies, real estate companies and even police departments across the country. It launches its attacks against multiple operating systems including Microsoft Windows. Not shy about boasting about its crimes, the group even posts details of some of them on its dark web blog.

The group hasn’t limited its cyber-attacks to the world’s biggest economy, however, it’s also attacked organisations throughout South America, Europe and Asia. And its targets now include most other sectors of the global economy. Whereas Hive initially focused on organisations storing large volumes of personal and sensitive data, it now sees anyone and everyone as fair game.

Not stopping at solely conducting attacks, the group realised they could make even more money by selling its software to other groups or individuals. This is the Ransomware-as-a-Service (RaaS) model whereby cybercriminals concentrate on just one stage of the cyber-attack chain rather than trying to manage every step. This has made it easier for researchers to obtain the malicious code to understand how it works. But it sometimes makes it harder for them to identify which group has conducted which crime because multiple groups are using Hive’s code.

In just a few years, Hive has undoubtedly become one of the most dangerous cybercrime gangs on the planet. One cyber security firm even ranked it as the second most successful in 2022 after LockBit. Known for its aggressiveness and frequent attacks, its members work hard to evolve their TTPs to keep security experts from blocking its objectives.

Following the money

Naturally, few crime groups declare how much money they make and most organisations that have suffered from ransomware attacks don’t like to declare how much they have paid out. The FBI believes Hive has already targeted more than 1,300 companies around the globe, helping it to bring in approximately US$100 million in ransom payments to date.

Like most threat actors, Hive is known to gain access to organisations via phishing techniques such as sending emails with malicious links or attachments. Once inside, they move laterally around a network to look for ways to exfiltrate and encrypt valuable data. Investigators know that Hive favours double extortion, where they not only steal data to sell or leak on the dark web, but encrypt it inside their target’s databases as well. To make matters worse, Hive has developed its own processes to delete back-ups and prevent successful data recovery. This can all be very damaging to any business and potentially extremely expensive as well.

Its mastery of these techniques and their tactic of living off the land (exploiting legitimate tools to avoid detection) makes it a threat to all organisations in every country today.

Tracking cybercriminals

Although it’s not been proven where the group originated, observers know they are Russian-speaking. Some threat actors are very adept at disguising their whereabouts, using tools such as virtual private servers to hide their locations and directing their traffic via numerous countries and continents. They are also known to recruit individuals based in different regions of the world to make it harder for researchers and investigators to pinpoint their exact position.

Government authorities advise against paying any ransom fees to anyone in any situation because this only encourages the groups to commit more crimes and, of course, gives them more money to invest in even more sophisticated tools. If organisations do hand money over to Hive, or any other gang, then they may well go against their word and carry out their threats anyway.

Download our Ransomware Threat Intelligence report to learn more

You might like to learn more about the most active cybercrime groups operating around the world today, their TTPs, who they typically target, and how you can best defend yourself again them by downloading our Threat Intelligence 2023 Outlook Report.