Skip to main content

Operator dossier

hive is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 208 public victims claimed by this operator between August 14, 2021 and January 16, 2023. Hive is a financially motivated ransomware group that emerged in August 2021, operating as a Ransomware-as-a-Service (RaaS) model to maximize their criminal enterprise's reach and profitability. The group is suspected to have origins in Eastern Europe based on their operational patterns and linguistic indicators, though definitive attribution remains unclear, and they operate independently while recruiting affiliates to conduct attacks on their behalf. Hive primarily gains initial access through compromised Remote Desktop Protocol (RDP) credentials, phishing campaigns, and exploitation of known vulnerabilities in public-facing applications, subsequently deploying their custom ransomware payload that uses a combination of RSA and AES encryption algorithms while simultaneously exfiltrating sensitive data before encryption to enable double extortion tactics where they threaten to publish stolen information if ransom demands are not met. The group has targeted over 208 victims globally with a particular focus on manufacturing companies, business services, information technology firms, healthcare services, and internet and telecommunication services, primarily in the United States, United Kingdom, Netherlands, Indonesia, and China, including notable attacks against healthcare systems and critical infrastructure that drew significant attention from law enforcement agencies. In January 2023, the FBI announced the successful disruption of Hive's operations, seizing their dark web leak sites and decryption keys, effectively dismantling the group's infrastructure and providing free decryption tools to victims.

Most-affected countries

Recent disclosures by hive

Most recent 150 of 208 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for hive

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

hive

208 victims indexed · first seen 5 years ago · last activity 3 years ago

208
Victims indexed
#39 of 364 tracked operators
1y 5m
Active period
Aug 2021 → Jan 2023
10
Countries hit
top US · 34

At a glance

Status
inactive
First seen
5 years ago
Last activity
3 years ago
Primary sector
Manufacturing · 16 hits

About

Hive is a financially motivated ransomware group that emerged in August 2021, operating as a Ransomware-as-a-Service (RaaS) model to maximize their criminal enterprise's reach and profitability. The group is suspected to have origins in Eastern Europe based on their operational patterns and linguistic indicators, though definitive attribution remains unclear, and they operate independently while recruiting affiliates to conduct attacks on their behalf. Hive primarily gains initial access through compromised Remote Desktop Protocol (RDP) credentials, phishing campaigns, and exploitation of known vulnerabilities in public-facing applications, subsequently deploying their custom ransomware payload that uses a combination of RSA and AES encryption algorithms while simultaneously exfiltrating sensitive data before encryption to enable double extortion tactics where they threaten to publish stolen information if ransom demands are not met. The group has targeted over 208 victims globally with a particular focus on manufacturing companies, business services, information technology firms, healthcare services, and internet and telecommunication services, primarily in the United States, United Kingdom, Netherlands, Indonesia, and China, including notable attacks against healthcare systems and critical infrastructure that drew significant attention from law enforcement agencies. In January 2023, the FBI announced the successful disruption of Hive's operations, seizing their dark web leak sites and decryption keys, effectively dismantling the group's infrastructure and providing free decryption tools to victims.

References

47 links

External sources curated by the MISP threat-intel community.

Timeline

15 months
2021-08-01T00:00:00+00:00 · 22021-12-01T00:00:00+00:00 · 232022-01-01T00:00:00+00:00 · 322022-02-01T00:00:00+00:00 · 232022-03-01T00:00:00+00:00 · 212022-04-01T00:00:00+00:00 · 52022-05-01T00:00:00+00:00 · 172022-06-01T00:00:00+00:00 · 52022-07-01T00:00:00+00:00 · 292022-08-01T00:00:00+00:00 · 72022-09-01T00:00:00+00:00 · 142022-10-01T00:00:00+00:00 · 22022-11-01T00:00:00+00:00 · 102022-12-01T00:00:00+00:00 · 152023-01-01T00:00:00+00:00 · 3
2021-08-01T00:00:00+00:002023-01-01T00:00:00+00:00

Top countries

🇺🇸 United States
34
🇬🇧 United Kingdom
8
🇳🇱 Netherlands
3
🇨🇦 Canada
2
🇮🇩 Indonesia
2
🇧🇷 Brazil
2
🇪🇸 Spain
2
🇨🇳 China
2

Top sectors

Manufacturing
16
Business Services
12
Information Technology
10
Healthcare Services
4
Internet & Telecommunication Services
4
Energy & Utilities
3
Advertising, Marketing & Public Relations
3
Wholesale & Retail
3

MITRE ATT&CK

34 techniques · 11 tactics

Tactics

Command And ControlCredential AccessDefense ImpairmentDiscoveryExecutionImpactInitial AccessPersistencePrivilege EscalationResource DevelopmentStealth

Techniques

Recent victims

Loading…

Source

Updated 3 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time hive posts a victim.

Add hive to your watchlist — Pro pings you within 5 minutes of any new hive leak-site post, Telegram callout, or affiliate-rebrand inference.