Strain: HIVE Malware/Ransomware

Date of Activity: ~2018-Present

Overview: HIVE is a type of malware that is used to create a hidden and persistent infrastructure on a compromised computer or network. This infrastructure can then be used to launch further attacks, steal sensitive information, and control the affected systems. Once data is collected the threat actor behind HIVE will turn the access into ransomware - locking out legitimate users of the network and encrypting sensitive data unless a cryptocurrency ransom is paid. If the ransom is not paid the group behind HIVE will leak the data to the dark net, and in some cases, sell the data. If the ransom is paid, organizations that have had sensitive and critical data stolen may have their data sold by the group as well. To date, it is assessed the group behind HIVE has impacted 1300 organizations worldwide and has received $130 million in ransom payments.

HIVE is typically spread through phishing emails or by exploiting vulnerabilities in software. Once it infects a system, it uses advanced techniques to evade detection and remain undetected for as long as possible. This can include disguising itself as legitimate system process, using encryption to hide its communications, and creating multiple layers of command-and-control infrastructure to make it difficult for defenders to take it down.

One of the most notable aspects of HIVE is its use of domain generation algorithms (DGAs) to create many domain names that it can use to communicate with its command-and-control servers. This makes it much harder for defenders to block the malware's communications, as defenders would have to constantly update their blocklists to include new domain names.

HIVE is also known for its ability to exfiltrate large amounts of data from compromised systems. It often uses custom protocols to transfer data, which can make it difficult for network security tools to detect and block the traffic. Overall, making HIVE an effective malware strain with large consequences for enterprises infected by it.