A recent report has revealed that the Hive Ransomware-as-a-Service (RaaS) is aggressively expanding its operations, and has targeted hundreds of organizations since its first appearance in June.

What has been discovered

Researchers from Group-IB obtained access to the administrator panel of Hive ransomware. A deeper dig into this panel has revealed several interesting details about the group’s victims and operations.
  • Researchers revealed that the Hive ransomware has targeted more than 350 organizations in the past four months, which turns out to be around three victims per day.
  • The group’s leak site (different from the administration panel) lists 55 organizations, which indicates the number of victims that did not pay the ransom. This signifies that a large number of victims have probably paid the ransom to avoid getting listed.
  • The leak site further reveals that while most non-paying victims are small or mid-sized organizations, the group has targeted several giant enterprises as well.
  • Researchers estimate that the group has made millions of dollars in the past few months. In October and November alone, the threat actor has made at least $6.5 million in revenue.

The administration panel

As researchers took a deeper look at the administration panel of Hive, they provided several additional insights about its operations.
  • The developers have made a lot of efforts in making the RaaS convenient to use for affiliates. Both the admin panels and the leak site are API-based portals, a rare thing for malicious activities.
  • Affiliates can use the platform to generate a new malware version in just 15 minutes.
  • They can see the total amount they made and victims who paid or did not pay the ransom.
  • Furthermore, it allows negotiations with the victims in a transparent manner, where the entire chat between the victim and the admins is visible to the affiliates.


The efforts made by the developers of Hive indicate that they are planning to take this threat further. Moreover, the accelerated growth of the RaaS-based model—and threat actors’ new franchise model within—is a further indication of a maturing enterprise-like business. Therefore, organizations are suggested to regularly backup, use multi-factor authentication, and leverage the right intel to thwart a threat at the door.

Cyware Publisher