MalwareRansomwareUsed by 3 actors

Hive

Hive is a ransomware family and ransomware-as-a-service operation active since at least June 2021 and described as one of the most prolific ransomware groups. It is associated with double-extortion attacks, including data theft and encryption, and is specifically noted for targeting healthcare organizations and hospitals. Reporting also places Hive among major ransomware groups linked to Russia, and U.S. authorities have alleged that Mikhail Pavlovich Matveev participated in conspiracies involving Hive and played a major role in the development and deployment of the variant.

The malware has been observed in Linux and VMware ESXi ransomware trends, with Hive listed among groups that added Linux encryptors to their arsenal and among ransomware families targeting ESXi environments. However, SentinelLABS found no obvious similarity between Hive’s ESXi locker and the leaked Babuk-derived ESXi codebase used by several other families. Microsoft reporting also states that the threat cluster DEV-0237 used Hive payloads in some campaigns, reflecting affiliate or operator reuse within the broader ransomware ecosystem.

Operationally, Hive-related activity has been linked to fast-flux infrastructure, and a Huntress investigation found an IP address associated via Maltrail with Hive ransomware during an intrusion that began with brute-force access to an internet-exposed RDP server. In a separate Sophos X-Ops cluster, a January 2023 Hive attack showed hands-on-keyboard tradecraft including brute-forced RDP initial access, creation of administrative accounts across thousands of machines, use of batch scripts such as gp.bat and related script chains, deployment from password-protected archives, and ransomware execution roughly 13 hours after the main burst of activity. Public reporting also notes infrastructure seizure and backend infiltration by the FBI and European law enforcement in late January 2023, disrupting Hive’s operations.

Hive has been repeatedly referenced in sector and prevalence reporting as a common ransomware variant during 2022, including a material increase in prevalence in Q4 2022. It has also been cited in discussions of possible successor or rebrand activity: Hunters International has been widely suspected by some researchers to be a rebrand of Hive due to similarities in encryptor code, although that group denied direct ties and claimed it purchased Hive’s software and website.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

WIZARD SPIDER

DEV-0237 heavily used Ryuk and Conti payloads from Trickbot LLC/DEV-0193, then Hive payloads more recently.

via microsoft generalmicrosoft.com

Conti

Authorities say Matveev played a major role in the development and deployment of the Hive, LockBit and Babuk ransomware variants...

via techcrunch com securitytechcrunch.com

Storm-0501

...delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.

via the hacker newsthehackernews.com

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1584Compromise InfrastructureEvidence1

She touted the recent FBI action taken to dismantle infrastructure used by the Hive ransomware group.

Initial Access

1 technique

T1091Replication Through Removable MediaEvidence1

NCC Group carried out a physical malicious-media campaign, in which booby-trapped DVDs were created which, when inserted within a victim’s computer, would abuse the autoplay feature of Windows...

Execution

1 technique

T1059.003Windows Command ShellEvidence1

the use of the same batch scripts and files: file1.bat, file2.bat, ip.txt, and gp.bat

Privilege Escalation

1 technique

T1068Exploitation for Privilege EscalationEvidence1

...booby-trapped DVDs were created which, when inserted within a victim’s computer, would abuse the autoplay feature of Windows in order to play a Christmas-related video, while unbeknown to the victim their computer was compromised remotely...

Stealth

1 technique

T1070.004File DeletionEvidence1

file2.bat : a second batch file, executed in Safe Mode via a registry key, designed to unpack the ransomware binary from the encrypted archive

Lateral Movement

1 technique

T1091Replication Through Removable MediaEvidence1

NCC Group carried out a physical malicious-media campaign, in which booby-trapped DVDs were created which, when inserted within a victim’s computer, would abuse the autoplay feature of Windows...

Command and Control

1 technique

T1568.001Fast Flux DNSEvidence1

Fast flux refers to a domain-based technique that is characterized by rapidly changing the DNS records (e.g., IP addresses) associated with a single domain [T1568.001].

Impact

1 technique

T1486Data Encrypted for ImpactEvidence10

According to the investigation, he developed malware in January of this year to obtain illegal profits. The accused intended to use it to encrypt commercial organizations' data and demand a ransom for decryption, Russian prosecutors said.

Other

1 technique

T1562.009Safe Mode BootEvidence1

file1.bat : a batch file designed to set up the system with autologon as the newly-created administrative user AdminBac, reboot into Safe Mode ... file2.bat : a second batch file, executed in Safe Mode via a registry key, designed to unpack the ransomware binary from the encrypted archive

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app25 days ago

ip.v4●●●●●●●●●●●●View more in app4 months ago

ACTIVITY FEED

Recent activity

60 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

60 SOURCESView more in app

lawfare mediaNews

May 6, 2026

A First Step to Unpacking Cyber, Deception, and Intelligence Contests | Lawfare

Ransomware operated by the Hive group; the content notes FBI infiltration of the group’s operations.

Apr 5, 2026

Don't glamorize cybercrims, roast them instead • The Register

A ransomware operation referenced as an example of FBI infiltration of a ransomware network.

osint team blogNews

Mar 5, 2026

After LockBit: The Ransomware Market Never Shrinks | by privacyinsightsolutions.com | Mar, 2026 | OSINT Team

RaaS operation dismantled after law-enforcement infiltration that enabled distribution of decryption keys to victims.

bleeping computerNews

Mar 4, 2026

How a Brute Force Attack Unmasked a Ransomware Infrastructure Network

Named ransomware family (RaaS) referenced via infrastructure attribution: brute-force source IPs were reported by maltrail as associated with Hive ransomware.

+55 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.