Hive

Legend

General Icons

Screenshot available
Company website
Infostealer data found
Victim has denied
Ransom amount known

Sector Icons

Manufacturing

Construction

Transportation/Logistics

Technology

Healthcare

Financial Services

Public Sector

Education

Business Services

Consumer Services

Energy

Telecommunication

Agriculture and Food Production

Hospitality and Tourism

Not Found

Location Types

DLS: Data Leak Site
Files: Files server
Chat: Negotiation chat portal
API: Application Programming Interface endpoint
Admin: Admin panel or backend interface

Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe. In 2022 there was a switch from GoLang to Rust.

External information

CISA Alert aa22-321a
From ScreenConnect to Hive Ransomware in 61 hours
https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/

Victims

208

First Discovered

2021-08-14

victim

Last Discovered

2023-01-16

victim

Inactive Since

3yrs

more than

Avg Delay

N/A

attack→claim

Infostealer

11.1%

victims with domain

View Victims on World Map

View group statistics

Known Locations (3)

Title	Available	Last Visit	FQDN
This domain has been seized	No	2025-06-01 21:18:38	`hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion`
This domain has been seized	No	2025-06-01 21:18:49	`hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion`
This domain has been seized	No	2025-06-01 21:18:54	`hiveapi4nyabjdfz2hxdsr7otrcv6zq6m4rk5i2w7j64lrtny4b7vjad.onion`

Screenshot Preview

Target (Available)

Top 5 Activity Sectors

Manufacturing 16
Business Services 12
Information Technology 10
Internet & Telecommunication Services 4
Healthcare Services 4

Top 5 Countries

United States 34
United Kingdom 8
Netherlands 3
Brazil 2
Indonesia 2

Heatmap (Available)

Ransom Notes (2)

HOW_TO_DECRYPT.txt
hive.txt

Tools Used (Available)

This information is provided by Ransomware-Tool-Matrix
Discovery	RMM Tools	Defense Evasion	Credential Theft	OffSec	Networking	LOLBAS	Exfiltration
Advanced IP Scanner Bloodhound SoftPerfect NetScan placeholder placeholder	Atera ScreenConnect Splashtop placeholder placeholder	GMER PCHunter placeholder placeholder placeholder	placeholder placeholder placeholder placeholder placeholder	Cobalt Strike Impacket Metasploit Meterpreter PowerShell Empire	placeholder placeholder placeholder placeholder placeholder	BCDEdit BITSAdmin Windows Event Utility (wevtutil) WMIC placeholder	MEGA PrivatLab RClone Sendspace UFile

Vulnerabilities Exploited (0)

No vulnerabilities exploited available.

TTPs Matrix (0)

No TTPs available.

Negotiation Chats (8)

20211004 70 msgs

20211005 19 msgs

20211026 46 msgs

20211102 58 msgs

20211113 136 msgs

20211126 4 msgs

20211213 15 msgs

20211220 24 msgs

YARA Rules (1)

Hive.yar

Indicators of Compromise (IoCs) (0)

No IoCs available for this group.