analyst@nohacky:~/threat-actors$
cat/threat-actors/hive-ransomware
analyst@nohacky:~/hive-ransomware.html
dismantled — 2023-01-26profile
typeRansomware
threat_levelHigh (historical)
statusDismantled
originUnknown (Russian-language RaaS)
last_updated2026-03-27
HV
hive-ransomware

Hive Ransomware Group

leak site: HiveLeaks successor: Hunters International (assessed)

The subject of one of the most operationally significant law enforcement actions in ransomware history. After the FBI infiltrated Hive's infrastructure in July 2022 — seven months before the public announcement — agents quietly obtained over 1,300 decryption keys and passed them to victims worldwide, preventing an estimated $130 million in ransom payments before the group's servers were finally seized and its dark web sites taken down on January 26, 2023. In its 19-month run from June 2021 to that date, Hive extorted more than $100 million from over 1,500 victims across 80 countries, with a particular willingness to strike hospitals, healthcare systems, and other critical infrastructure that other ransomware groups treated as off-limits.

attributed originUnknown — Russian-language operation (assessed)
operation modelRansomware-as-a-Service (RaaS) — 80/20 affiliate split
active periodJune 2021 – January 26, 2023
primary motivationFinancial extortion — double and triple extortion
primary targetsHealthcare, Energy, Financial, Government, Education
confirmed impact$100M+ extorted, 1,500+ victims, 80 countries
le actionFBI infiltration July 2022; servers seized Jan 2023
ransoms prevented$130M saved via 1,300+ decryption keys
current statusDISMANTLED — January 26, 2023

Overview

Hive emerged in June 2021 as a ransomware-as-a-service operation, quickly establishing itself as one of the most aggressive and indiscriminate groups in the ransomware ecosystem. Within two months of its first known attack, the FBI issued an urgent flash alert about Hive's targeting of healthcare organizations — an early signal of the group's willingness to strike hospitals and medical systems that other ransomware operators had treated as informal red lines. The operation grew rapidly: by mid-2022, Malwarebytes ranked Hive as the third-most active ransomware group globally, and affiliates were compromising an average of three organizations per day.

Hive operated on a standard RaaS model, with core developers maintaining the ransomware payload, the affiliate panel, the negotiation portal, and the HiveLeaks dark web data extortion site. Affiliates paid nothing upfront; instead, the group took 20 percent of each ransom payment, with affiliates retaining 80 percent. This generous affiliate split helped attract experienced operators who brought their own network access and initial access techniques. The group provided affiliates with a structured toolkit including the ransomware binary, an admin panel for managing infections and negotiations, and access to HiveLeaks for publishing non-paying victims' data.

The ransomware itself evolved significantly during Hive's operational life. Initial versions were written in Go, leveraging the language's concurrency features for faster file encryption. After a public decryptor for versions 1 through 4 was released by the Korea Internet & Security Agency in mid-2022, the group rewrote the payload in Rust for version 5 — a pattern of adaptation consistent with other technically capable ransomware operations. The group also deployed two cleanup batch scripts after encryption: hive.bat for self-deletion and shadow.bat for deleting Volume Shadow Copies to prevent recovery.

Hive's most documented characteristic was its complete disregard for humanitarian targeting limits. While many ransomware groups publicly committed to avoiding hospitals and healthcare providers — particularly following high-profile criticism — Hive attacked Memorial Health System in Ohio within weeks of launching, forced emergency room diversions and surgical cancellations at multiple hospitals, compromised Costa Rica's national public health service, and repeatedly targeted ambulance services, specialty clinics, and other medical infrastructure throughout its operation. The FBI specifically documented Hive preventing a Louisiana hospital from paying a $3 million ransom by providing a decryption key during the seven-month covert infiltration.

The FBI infiltration, led by the Tampa Field Office, began in late July 2022 when agents gained clandestine access to Hive's control panel. For seven months, agents operated inside the group's infrastructure without detection — generating decryption keys for victims under active attack, warning organizations of incoming attacks before they could fully deploy, and gathering intelligence on the group's operations and affiliates. The covert phase ended when servers were seized on January 26, 2023, with coordinated takedown operations executed alongside German and Dutch law enforcement, the US Secret Service, and Europol. No arrests or indictments were announced at the time of the takedown announcement.

Following the dismantling, a new group called Hunters International emerged in late 2023 with code showing more than 60 percent overlap with Hive's ransomware. Hunters International claimed to be an independent group that acquired Hive's source code and infrastructure rather than a direct rebrand, and stated a primary focus on data exfiltration rather than encryption — though the code-level similarities remain the most significant data point for attribution.

Target Profile

Hive's targeting was broad and deliberately indiscriminate, distinguishing the group from operators that observed informal sector limits. Any organization holding data valuable enough to generate a ransom payment was within scope.

  • Healthcare and Public Health: Hive's defining and most criticized target category. Hospitals, hospital systems, ambulance services, specialty clinics, and public health agencies were targeted repeatedly throughout the group's operational life. Memorial Health System (Ohio, August 2021), Costa Rica's CCSS national health service (May 2022), Empress EMS ambulance service (New York, July 2022), and Lake Charles Memorial Health System (Louisiana, November 2022) were among documented victims. Patient data including health records, Social Security numbers, and insurance information was exfiltrated and threatened for publication.
  • Energy and Critical Infrastructure: The energy sector recorded the highest number of Hive attack attempts per machine in Trend Micro's tracking period (August 2021 to February 2022), with 186 detections. Utility operators and energy companies were consistently in scope throughout the operation.
  • Financial Institutions: Banks and financial services companies were targeted for both ransom payments and the high sensitivity of financial data as extortion leverage. The Bank of Zambia was targeted in May 2022 — an incident notable because the bank publicly refused to pay and posted a defiant response on Hive's negotiation chat.
  • Government and Public Sector: National and local government entities were targeted, most notably Costa Rica's public health service and social security system in partnership with Conti in May 2022, which caused widespread disruption to government-provided healthcare services.
  • Education and Technology: School districts, universities, and technology firms appeared throughout Hive's victim list. The FBI documented proactively notifying a university of an active attack during the covert infiltration and providing a decryption key before the infection could fully deploy.
  • Geographic Distribution: North America accounted for the largest share of HiveLeaks non-paying victims (approximately 45%), followed by Europe (approximately 29%) and Latin America (approximately 13%). The group operated globally, with confirmed victims across at least 80 countries.

Tactics, Techniques & Procedures

Hive affiliates used multiple initial access techniques depending on the target environment, with no single standardized entry method. Post-compromise activity followed documented ransomware deployment patterns: establish access, move laterally, exfiltrate data, disable backups, encrypt, and extort via dual channels (decryption ransom and data publication threat).

mitre idtechniquedescription
T1566.001 Spear-Phishing Attachment Hive affiliates used phishing emails with malicious attachments as a primary initial access vector. Lures were adapted to target sector — healthcare-themed content for medical organizations, financial documents for banking targets.
T1078 Valid Accounts — Stolen Credentials Leaked and purchased credentials were used to authenticate directly to victim environments via RDP and VPN. Credential theft from prior breaches was documented as a significant initial access source for Hive affiliates, particularly for organizations with externally exposed remote access services.
T1190 Exploit Public-Facing Application Hive affiliates exploited ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) in Microsoft Exchange Server to gain initial access without authentication, particularly during 2021–2022. FortiGate VPN vulnerabilities were also documented as entry points in multiple campaigns.
T1021.001 Remote Services: RDP Once initial credentials were obtained, RDP was the primary lateral movement mechanism. Hive affiliates used RDP to traverse from initial footholds to domain controllers and backup servers before deploying the ransomware payload across the network.
T1059.001 PowerShell PowerShell was used to download and execute malicious binaries directly in memory via Invoke-Expression (IEX), and to deploy obfuscated Cobalt Strike Beacon payloads. PowerShell-based loaders were observed downloading the Hive payload from C2 infrastructure after initial access was established via Exchange exploitation.
T1486 Data Encrypted for Impact Hive's ransomware payload encrypted files across the network using the Go-based (v1–4) or Rust-based (v5) encryptor. The encryption targeted all accessible file shares, network drives, and local storage. VMware ESXi, Linux, FreeBSD, and Windows variants were all in active use. After encryption, ransom notes were dropped in every affected directory.
T1485 Data Destruction — Shadow Copy Deletion shadow.bat was deployed post-encryption to delete all Volume Shadow Copies (VSS) on Windows systems, preventing file recovery without paying the ransom or restoring from external backups. hive.bat handled self-deletion of the ransomware executable after deployment.
T1567 Exfiltration — Data Exfiltration for Double Extortion Before triggering encryption, affiliates exfiltrated sensitive data to actor-controlled infrastructure. This data was then threatened for publication on HiveLeaks unless the victim paid. In some documented cases, Hive pursued triple extortion — also attempting to extort individuals whose data appeared in the exfiltrated tranche.
T1489 Service Stop — Backup and Security Tool Termination Before deploying the encryptor, Hive affiliates terminated backup software, database services, and security products to prevent interference with encryption and eliminate backup-based recovery options. This was consistent with standard ransomware pre-encryption preparation across the ecosystem.
T1136.001 Create Local Account Hive affiliates created local Windows administrator accounts to maintain persistence across the victim network during the dwell period, providing a fallback access mechanism independent of any compromised domain credentials that might be detected and reset.
re-infection documented

Hive was documented re-infecting organizations that restored their systems from backups without paying the ransom. This behavior — attacking the same victim a second time after a successful recovery — was unusual among ransomware operators and reflected the group's aggressive stance toward extracting payment. Healthcare organizations in particular should account for this risk when planning recovery without payment.

Known Campaigns

Selected confirmed attacks and operational milestones across Hive's 19-month active period.

Launch — Altus Group & Initial Operations June 2021

Hive's first documented victim was Altus Group, a commercial real estate software company, on June 14, 2021. The attack took down communication systems and back-office infrastructure. The FBI issued an urgent flash alert in August 2021 following Hive's initial wave of healthcare attacks, documenting the group's TTPs and IOCs for defenders.

Memorial Health System — Ohio & West Virginia Hospitals August 2021

Hive's first major healthcare attack compromised Memorial Health System, disrupting clinical and financial operations across three hospitals in Ohio and West Virginia. Emergency rooms diverted patients, urgent surgeries were cancelled, and radiological tests were suspended. Approximately 216,000 patient records were stolen. This attack — coming within weeks of Hive's launch — established the group's defining characteristic: no humanitarian limits on targeting.

Costa Rica CCSS — National Health Service May 2022

In coordination with the Conti ransomware group (which was in the process of shutting down following its own exposure), Hive attacked Costa Rica's national social security system (CCSS). The attack disrupted the Single Digital Health File system and Centralized Collection System, affecting healthcare delivery across the country. This was one of the highest-profile national healthcare infrastructure attacks in Hive's operational history.

Empress EMS — New York Ambulance Service July 2022

Hive attacked Empress EMS, an emergency response and ambulance service provider in New York. Over 320,000 individuals had personal information stolen, including names, service dates, insurance information, and Social Security numbers. This attack targeted a first-responder organization whose operational disruption could directly affect emergency patient outcomes.

FBI Tampa Infiltration — Seven-Month Covert Operation July 2022 – January 2023

The FBI's Tampa Field Office gained clandestine access to Hive's control panel in late July 2022. For seven months, agents operated inside the infrastructure without detection — generating decryption keys for active victims, warning targets of incoming attacks, and providing decryptors to previously compromised organizations. FBI Director Christopher Wray confirmed agents provided over 1,300 decryption keys to victims across the world, preventing an estimated $130 million in ransom payments. The covert phase ended on January 26, 2023, when servers in Los Angeles and the Netherlands were seized in coordination with German, Dutch, and Europol law enforcement. No arrests or indictments were announced at takedown.

Hunters International — Assessed Code Successor Late 2023 onward

Researchers from Bitdefender and others identified more than 60 percent code overlap between Hive ransomware and a new group, Hunters International, that emerged in late 2023. Hunters International issued a statement claiming it acquired Hive's source code and infrastructure rather than being a rebrand, and stated a focus shift toward data exfiltration over encryption. The code-level similarities have led many researchers to assess Hunters International as a direct successor operation, though the group disputes this characterization.

Tools & Malware

Hive's toolset combined a custom ransomware payload with widely used commodity attack tools accessed by affiliates from their own arsenals.

  • Hive Ransomware (Go, v1–4): The original ransomware payload written in Go, leveraging the language's goroutine concurrency for fast parallel file encryption. Versions 1 through 4 were publicly broken by researchers at Seoul National University in 2022, who discovered a mathematical weakness in the key generation — the Korea Internet & Security Agency subsequently released a public decryptor for these versions.
  • Hive Ransomware (Rust, v5): Following the public decryptor release, Hive rewrote the payload entirely in Rust. The Rust version was faster, more technically robust, and eliminated the key generation weakness that had allowed decryption without paying. It also introduced cross-platform support, with variants targeting Linux, FreeBSD, and VMware ESXi in addition to Windows.
  • hive.bat: A batch script deployed immediately after encryption that attempts to delete the ransomware executable itself, reducing forensic evidence of the payload on disk.
  • shadow.bat: A batch script that deletes all Windows Volume Shadow Copies after encryption completes, preventing file restoration via VSS without an external backup.
  • Cobalt Strike Beacon: The commercial penetration testing framework's Beacon payload was observed being deployed by Hive affiliates post-initial-access, providing a full-featured C2 channel for lateral movement and pre-ransomware reconnaissance. PowerShell-based Cobalt Strike delivery was documented in attacks via Microsoft Exchange exploitation.
  • HiveLeaks (data extortion portal): Hive's dark web Tor-hosted leak site, used to publish stolen data from victims who refused to pay. The site displayed countdown timers showing how long victims had before their data would be publicly released, increasing payment pressure. The site was seized by the FBI and replaced with a law enforcement notice on January 26, 2023.

Indicators of Compromise

Hive's infrastructure was seized in January 2023 and its active C2 network is no longer operational. The IOCs below are retained for retrospective incident investigation and for identifying Hunters International successor activity.

group dismantled

Hive's infrastructure was seized on January 26, 2023. Active C2 domains and TOR services are no longer operational. Historic IOCs are useful for retrospective investigation and attribution of historical incidents. For organizations investigating potential Hunters International activity, code-overlap signatures derived from Hive v5 Rust payloads are the most relevant current indicators.

behavioral indicators — hive ransomware deployment pattern
scripthive.bat — ransomware self-deletion script executed post-encryption
scriptshadow.bat — VSS deletion script; removes all shadow copies to prevent recovery
file ext.hive — encrypted file extension appended by the ransomware payload
ransom noteHOW_TO_DECRYPT.txt — dropped in every encrypted directory
exploitCVE-2021-34473, CVE-2021-34523, CVE-2021-31207 — ProxyShell Exchange RCE chain
exploitFortiGate SSL VPN vulnerabilities — used for credential theft and initial access
behaviorMass shadow copy deletion (vssadmin delete shadows /all /quiet) shortly before encryption begins
behaviorNew local administrator account creation prior to ransomware deployment
behaviorCobalt Strike Beacon loaded via PowerShell IEX from C2 after Exchange exploitation

Mitigation & Defense

Though Hive itself is dismantled, its TTPs remain directly relevant for defending against its assessed successor Hunters International and against the broader RaaS ecosystem that operates with similar techniques.

  • Patch ProxyShell immediately and audit Exchange exposure: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 were patched in April and May 2021 but remain exploited against unpatched Exchange servers. Any on-premises Exchange deployment should be verified as fully patched and assessed for whether external exposure is necessary. Consider migrating to Exchange Online for organizations that cannot maintain timely patch cadences.
  • Enforce MFA on all RDP and VPN access points: Stolen credentials used directly against RDP and VPN services were Hive's second major initial access vector. Multi-factor authentication eliminates this entire class of credential-stuffing and reuse attacks. RDP should not be exposed directly to the internet under any circumstances.
  • Maintain offline, immutable backups tested for recovery: Hive's VSS deletion rendered online and shadow copy backups useless. Recovery without paying — in the absence of FBI-provided decryption keys — required external offline backups. Backups should be stored on systems completely isolated from the production network, tested for restoration viability quarterly, and retained for a period that accounts for potential dwell time before ransomware deployment.
  • Report ransomware attacks to the FBI — before paying: The Hive operation demonstrates the direct operational value of law enforcement notification. The FBI's seven-month covert presence inside Hive's infrastructure only became possible because of victim cooperation and intelligence sharing. Providing decryption keys was only possible because the FBI was inside the system. Organizations that engage law enforcement before making payment decisions give investigators the opportunity to provide decryption capabilities, warn other potential victims, and disrupt ongoing operations.
  • Deploy EDR with behavioral detection for pre-ransomware activity: Hive affiliates followed a detectable pre-encryption pattern: credential theft, lateral movement via RDP, backup termination, shadow copy deletion, and then encryption. EDR solutions with behavioral detection for VSS deletion commands, mass backup service termination, and anomalous RDP lateral movement can identify ransomware deployments before encryption begins.
  • Monitor for Hunters International activity: Given the code-level overlap between Hive and Hunters International, defenders should treat Hunters International detections as a potential continuation of Hive affiliate activity. YARA rules and behavioral signatures derived from Hive's Rust payload (v5) have documented overlap with Hunters International samples.
  • Segment healthcare systems and critical infrastructure networks: Hive's documented re-infection behavior underscores that recovery without payment does not eliminate the threat from Hive-affiliated actors. Network segmentation limits lateral movement after initial compromise, reducing the blast radius of any single entry point and slowing the time-to-encryption window that defenders need to detect and respond.
analyst note — law enforcement model

The Hive takedown represents a significant precedent in ransomware law enforcement strategy. Rather than seizing infrastructure immediately upon gaining access, the FBI maintained a covert presence for seven months — using that access to help victims in real time rather than simply gathering evidence for prosecution. The absence of announced arrests at the time of the public takedown suggests the investigation and prosecution phase remained ongoing. The operational lesson for ransomware groups is that server access alone is not a reliable indicator of imminent takedown — a shift that has likely changed how ransomware operators think about their own detection risk from law enforcement persistence.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile