Ransomware gang Hive still a top threat, US warns

Updated on: 15 November 2023

Damien Black
Senior Journalist

Beeswax from a hive — Image by Shutterstock

The Russian-linked ransomware group tops the US authorities’ list of threats, having extorted some $100 million from more than 1,300 companies worldwide since it first surfaced, according to a bulletin from national cybersecurity body CISA.

“Hive ransomware follows the ransomware-as-a-service model, in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks,” said CISA.

Hive is the name given to both this umbrella group and its associates, and the malware it uses to infiltrate target companies and exfiltrate their data, which is then encrypted and only returned to the owner once a fee, or ransom, has been paid.

“Prior to encryption, Hive ransomware removes virus definitions and disables all portions of Windows Defender and other common antivirus programs in the system registry,” said CISA.

“Hive actors exfiltrate data likely using a combination of Rclone and the cloud storage service Mega.nz.”

As well as deploying against the Microsoft Windows operating system, Hive ransomware has variants that allow it to be used in the same way against Linux, VMware ESXi, and FreeBSD.

A swarm of attacks

CISA added that since June last year it has observed threat actors using Hive ransomware “to target a wide range of businesses and critical infrastructure sectors” – especially healthcare facilities.

Its methods of intrusion varied according to the specific target but included single-factor logins via remote access protocol – essentially hijacking a computer system from afar – and sending phishing or social engineering emails with malicious links, to hoodwink workers into accidentally compromising their employers’ systems.

CISA added it had also observed Hive threat actors using virtual private networks (VPNs) – presumably to conceal their actual location from victims – and even bypassing multifactor authentication systems by exploiting “common vulnerabilities and exposures.”

CISA and other similar bodies regularly issue updates on the latter, known as CVEs, but this latest notification underscores the persistence of the Hive threat.

Prevention not payment

CISA and its partner body, the Federal Bureau of Investigation (FBI), urge target organizations not to pay out on any ransom, but take preventative measures instead, including regularly patching according to CVE notifications as well as installing updates for operating systems, software, and firmware as soon as these become available.

“Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” said CISA. “Paying the ransom also does not guarantee that a victim’s files will be recovered.”