Cyber Threat Actor: Hive
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
—
|
10 incidents |
|---|
Profile
The threat actor known as Hive, also identified as Hive0064 and The Hive, operates as a ransomware group conducting financially motivated attacks across multiple sectors and regions. Its confirmed targets include healthcare providers, educational institutions, retail organizations, public services, IT vendors, and manufacturing entities, with incidents reported in France, Spain, the United States, Italy, Guatemala, and the United Kingdom. The group employs double extortion tactics, encrypting victim systems and exfiltrating sensitive data to pressure organizations into paying ransoms. Leaked data types encompass medical records, employee personally identifiable information (PII), financial records, and corporate documents, as demonstrated in attacks against Consulate Health Care (550 GB of customer and employee data leaked) and NCG Medical (270 GB of patient records exfiltrated). Hive has demanded ransoms up to $2 million, citing victims' cyber insurance policies during negotiations, as seen in attacks against Wootton Academy Trust schools and Damart clothing retailer.
Hive utilizes ransomware-as-a-service (RaaS) infrastructure and gains initial access through phishing emails with malicious attachments, per FBI advisories referenced in incidents like the Guilford College breach. The group maintains persistence through backdoors and claims prolonged network access periods, such as 12 days in the Lake Charles Memorial Health System attack and six months in the Sigmund Software intrusion. Operational adaptations include selectively avoiding full encryption of healthcare networks to prevent patient harm, as acknowledged in the Lake Charles incident, while still exfiltrating data. Publicly attributed campaigns include the 2021 Memorial Health System attack that canceled surgeries and compromised 200,000 patient records, the 2022 Intersport ransomware incident disrupting Black Friday sales operations in France, and the breach of Partnership HealthPlan of California affecting 854,913 individuals. Law enforcement agencies, including the FBI and CISA, classify Hive as a criminal consortium without evidence of state affiliation.
