Day 2: Hive Ransomware

Common Attack Vectors

  • Remote Desktop Protocol access (RDP)
  • Phishing Emails

Vulnerabilities Exploited

  • Microsoft’s Remote Desktop Protocol (RDP)
  • ConnectWise Automate endpoint management

Industries Targeted Frequently


Threat actors target healthcare industries to steal patients' names, financial records and social security numbers.


Threat actors target enterprises stealing sensitive data, encrypting network files and demanding ransoms.

Recent Activity

MediaMarkt was hit by the Hive ransomware encrypting servers and workstations leading to shutting down IT systems and disrupting store operations.

Hive ransomware targeted Linux and FeeBSD operating systems using a new variant they developed.

Common File Extensions




Known Alias

  • HIVE.B
  • Avast
  • DrWeb

How Hive Ransomware is Distributed

Hive ransomware implements a phishing email attack to access a victim’s environment or download the malicious payload. Once the payload is downloaded, Hive seeks processes related to backups, anti-virus/anti-spyware, and file copying, and terminates the processes to begin file encryption. The encrypted files are most commonly identified with the extensions above. Hive then drops a script into the directory which forces an execution timeout delay of one second to perform cleanup after encryption is complete by deleting the Hive executable and hive.bat script. 

A second file, shadow.bat, is dropped into directory to delete shadow copies, including disc backup copies without victim detection and then deletes the shadow.bat file. During the encryption process, files are renamed with a double final extension of .key.hive or .key. 

The ransom note is dropped into each affected directory and states the .key file cannot be modified, renamed, or deleted, otherwise the encrypted files cannot be recovered. The note contains a “sales department” link, accessible through a TOR browser, which allows victims to contact threat actors through a chat box. Hive attempts to make their operation feel like it’s a regular business model.

There have been reports of victims receiving phone calls from the threat actors with requests of payments for their files. The usual proposed deadlines for payment goes from 2 to 6 days on average but is extended when contact is made by the victim. In attempts to persuade the victims into paying the ransom, Hive mentions in their ransom note that victims who have not paid the ransom demand.


SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.