On the FootSteps of Hive Ransomware

Yoroi’s ZLab tracks Hive (TH-313) ransomware and its evolution from Go-based payloads to Rust-based variants under a Double Extortion/RaaS model, highlighting its expanding victimology including healthcare and critical infrastructure. The report details increasing obfuscation, multi-OS variants (Linux/FreeBSD/ESXi), and operational tactics such as shadow copy deletion and privileged escalation to maximize impact. #Hive #TH-313 #MemorialHealthSystem #PartnershipHealthPlanofCalifornia #DoubleExtortion #RaaS

Keypoints

Hive (TH-313) is a financially motivated actor using Double Extortion and RaaS, active since June 2021 with a broad victim profile including healthcare and critical infrastructure.
The ransomware payload evolved from Go (v1) to Rust (v5), adopting stronger cryptography (ECDH+Curve25519+XChaCha20-Poly1305) and increased obfuscation.
Ransom notes and infection parameters evolved from hardcoded credentials to runtime parameters (e.g., -grant, -kill, -scan, -no-wipe, -u).
Victimology includes at least 130 victims on their leak site, with notable attacks on Memorial Health System (2021) and Partnership HealthPlan of California.
Hive expanded to Linux/FreeBSD/ESXi targets, introducing platform-specific features like KillNonRoot, VM-focused encryption, and volume discovery/mounting.
Defensive evasion intensified via string and build-ID obfuscation and control-flow flattening, complicating analysis.
The operators continue to monetize via shadow-copy and backup erasure, privileged escalation, and drive/network discovery to maximize encryption scope.

MITRE Techniques

[T1562.001] Impair Defenses – The malware kills processes and services and removes shadow copies to hinder defenses. ‘The locker sample proceeds to export the key, to kill the processes and services specified and to remove the shadow copies…’
[T1490] Inhibit System Recovery – Shadow copies are removed to prevent recovery. ‘RemoveShadowCopies drops “shadow.bat” to remove the shadow copies’
[T1486] Data Encrypted for Impact – Core encryption uses strong crypto. ‘The core of the encryption scheme of Hive ransomware is a union of XOR+RSA algorithms.’
[T1027] Obfuscated/Compressed Files and Information – Strings and function names are obfuscated. ‘The strings are obfuscated, and the names of the functions present inside the main are not visible in cleartext’
[T1036] Masquerading – Build-ID patching to masquerade as legitimate Go binaries. ‘a simple fix provides the overwriting of the build-id with a legit one’
[T1120] Volume Discovery – Enumerates and mounts volumes for encryption. ‘Once the attached volumes are found, it calls FindFirstVolumeW and SetVolumeMountPointW to mount eventual unmounted volumes’
[T1068] Exploitation for Privilege Escalation – Abuses TrustedInstaller to recover its access token. ‘The operation of privilege escalation is performed though abusing the “TrustedInstaller” service to recover its access token’
[T1135] Network Share Discovery – Scans the local network for shares. ‘-scan: Scan local network for shares’

Indicators of Compromise

[Hash] Hive v1 samples – 88f7544a29a2ceb175a135d9fa221cbfd3e8c71f32dd6b09399717f85ea9afd1, and shadow.bat hash d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
[Hash] Hive v2 – 25bfec0c3c81ab55cf85a57367c14cc6803a03e2e9b4afd72e7bbca9420fe7c5
[Hash] Hive v3 – 8a461e66ae8a53ffe98d1e2e1dc52d015c11d67bd9ed09eb4be2124efd73ccd5
[Hash] Hive v3 Linux – 12389b8af28307fd09fe080fd89802b4e616ed4c961f464f95fdb4b3f0aaf185
[Hash] Hive v3 FreeBSD – Bdf3d5f4f1b7c90dfc526340e917da9e188f04238e772049b2a97b4f88f711e3
[Hash] Hive v3 ESXI – 822d89e7917d41a90f5f65bee75cad31fe13995e43f47ea9ea536862884efc25
[Hash] Hive v4 – 33aceb3dc0681a56226d4cfce32eee7a431e66f5c746a4d6dc7506a72b317277
[Hash] Hive v5.2 – b6b1ea26464c92c3d25956815c301caf6fa0da9723a2ef847e2bb9cd11563d8b
[File Name] hive.bat – RemoveItself routine drops hive.bat to remove itself
[File Name] shadow.bat – RemoveShadowCopies drops shadow.bat to remove shadow copies

On the FootSteps of Hive Ransomware – Yoroi