Threat Actor Profile
High
Cybercriminal
Description
Hive is a strain of ransomware that was first discovered in June 2021. Hive was designed to be used by Ransomware-as-a-service providers, to enable novice cyber-criminals to launch ransomware attacks on healthcare providers, energy providers, charities, and retailers across the globe. In 2022 there was a switch from GoLang to Rust.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Hive is a strain of ransomware that was first discovered in '
'June 2021. Hive was designed to be used by '
'Ransomware-as-a-service providers, to enable novice '
'cyber-criminals to launch ransomware attacks on healthcare '
'providers, energy providers, charities, and retailers across '
'the globe.\n'
'In 2022 there was a switch from GoLang to Rust.\n',
'firstseen': '2021-08-14T00:00:00+00:00',
'group': 'hive',
'has_negotiations': True,
'has_ransomnote': True,
'lastseen': '2023-01-16T23:15:55.695146+00:00',
'locations': [{'available': False,
'fqdn': 'hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion',
'slug': 'http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/',
'title': 'This domain has been seized',
'type': 'DLS'},
{'available': False,
'fqdn': 'hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion',
'slug': 'http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion',
'title': 'This domain has been seized',
'type': 'Chat'},
{'available': False,
'fqdn': 'hiveapi4nyabjdfz2hxdsr7otrcv6zq6m4rk5i2w7j64lrtny4b7vjad.onion',
'slug': 'http://hiveapi4nyabjdfz2hxdsr7otrcv6zq6m4rk5i2w7j64lrtny4b7vjad.onion/v1/companies/disclosed',
'title': 'This domain has been seized',
'type': 'DLS'}],
'negotiation_count': 8,
'ransomnotes_count': 2,
'tiaras_metadata': {'has_negotiations': True,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion',
'slug': 'http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/',
'title': 'This domain has been seized',
'type': 'DLS'},
{'available': False,
'fqdn': 'hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion',
'slug': 'http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion',
'title': 'This domain has been seized',
'type': 'Chat'},
{'available': False,
'fqdn': 'hiveapi4nyabjdfz2hxdsr7otrcv6zq6m4rk5i2w7j64lrtny4b7vjad.onion',
'slug': 'http://hiveapi4nyabjdfz2hxdsr7otrcv6zq6m4rk5i2w7j64lrtny4b7vjad.onion/v1/companies/disclosed',
'title': 'This domain has been seized',
'type': 'DLS'}],
'negotiation_count': 8,
'ransomnotes_count': 2,
'ransomware_live_group': 'hive',
'tools': {'CredentialTheft': [],
'DefenseEvasion': ['GMER', 'PCHunter'],
'DiscoveryEnum': ['Advanced IP Scanner',
'Bloodhound',
'SoftPerfect NetScan'],
'Exfiltration': ['MEGA',
'PrivatLab',
'RClone',
'Sendspace',
'UFile'],
'LOLBAS': ['BCDEdit',
'BITSAdmin',
'Windows Event Utility (wevtutil)',
'WMIC'],
'Networking': [],
'Offsec': ['Cobalt Strike',
'Impacket',
'Metasploit',
'Meterpreter',
'PowerShell Empire'],
'RMM-Tools': ['Atera',
'ScreenConnect',
'Splashtop']},
'url': 'https://www.ransomware.live/group/hive',
'victims': 208,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': [],
'DefenseEvasion': ['GMER', 'PCHunter'],
'DiscoveryEnum': ['Advanced IP Scanner',
'Bloodhound',
'SoftPerfect NetScan'],
'Exfiltration': ['MEGA',
'PrivatLab',
'RClone',
'Sendspace',
'UFile'],
'LOLBAS': ['BCDEdit',
'BITSAdmin',
'Windows Event Utility (wevtutil)',
'WMIC'],
'Networking': [],
'Offsec': ['Cobalt Strike',
'Impacket',
'Metasploit',
'Meterpreter',
'PowerShell Empire'],
'RMM-Tools': ['Atera', 'ScreenConnect', 'Splashtop']},
'ttps': [],
'url': 'https://www.ransomware.live/group/hive',
'victims': 208,
'vulnerabilities': []}