Hive

Hive was a prolific ransomware operation and ransomware-as-a-service actor active until law enforcement infiltrated and disrupted its infrastructure in 2023. The group is repeatedly described as one of the most prolific ransomware operations, and U.S. and European authorities announced seizures of its infrastructure after a multi-government offensive, including seizure of its leak site. The FBI had infiltrated Hive in 2022 and the disruption enabled authorities to assist victims with decryption. The content links Hive to the broader Russia-linked ransomware ecosystem: one source states that major ransomware groups including Hive have been linked to Russia, though the provided content does not attribute Hive to a specific state service. The group is also mentioned as a destination or splinter path for some former Conti members after Conti’s 2022 collapse. Mikhail Matveev (Wazawaka) is described as an affiliate of Hive as well as other ransomware groups. Hive used fast flux DNS infrastructure in ransomware attacks, a technique highlighted by government agencies as helping malicious actors evade blocking, improve resilience, and hinder attribution and takedown. Hive is also listed among ransomware families that targeted VMware ESXi environments. The content further notes suspected lineage and successor relationships around Hive. Hunters International is described by some researchers as a possible rebrand of Hive based on similarities in encryptor code, although Hunters International denied direct ties and claimed it purchased Hive’s software and website. Group-IB also assessed that some World Leaks and Hunters administrators may previously have been involved in the Hive operation, based on code similarities between Hive and Hunters. World Leaks is noted as having known associations with Hive Ransomware, Secp0 Ransomware, and UNC6148. Known alias in the provided content: Hive.