Skip to main content

Home Hive ransomware

Hive ransomware

Category: Malware

Type: Ransomware-as-a-service (RaaS)

Platform: Windows, Linux

Variants: Windows variant, Linux and ESXi variant

Damage potential: Data encryption and loss, operational disruption, financial loss, damage to reputation, network spread


Operating on a ransomware-as-a-service model, Hive is a type of malicious software targeting both Windows and Linux devices. Hive attacks typically focus on large businesses, including retailers, healthcare providers, and energy companies.

In such attacks, cybercriminals encrypt the victim’s files and threaten the victim to publish this data if they don’t pay the ransom, which is a technique called “double extortion.” While double extortion is not unique to Hive ransomware, Hive threat actors frequently victimize companies this way.

Possible symptoms

The most noticeable signs of Hive ransomware are inaccessible files, unexpected changes in file extensions, or a ransom note explaining how to contact the attackers for payment.

Additionally, you may experience slow computer performance, notice a spike in network activity, or run into unfamiliar processes in the Task Manager.

Sources of infection

Cybercriminals behind Hive use multiple methods to distribute the ransomware:

  • Phishing emails
  • Drive-by downloads (automatic downloads from infected websites, without the visitor’s knowledge)
  • Malvertising (malware-ridden ads)
  • USB and other removable media with auto-executable ransomware, which activates when connected to a computer
  • Vulnerabilities in the Remote Desktop Protocol (RDP) and other software
  • Supply chain attacks (infiltrating multiple devices by compromising a service or software used by an organization)


Being cautious online is crucial for protecting yourself from ransomware.

  • Do not click on suspicious links or attachments in emails, especially from unfamiliar senders.
  • Get reliable antivirus or anti-malware software and keep it updated.
  • Use complex passwords.
  • Enable multi-factor authentication (MFA) for an extra layer of protection.
  • Block malware-hosting websites and harmful ads using NordVPN’s Threat Protection.
  • Be careful with external media like USB drives. Make sure to scan such devices for malware before use.
  • Back up important data.
  • Update your software regularly to take advantage of the most recent security updates.


Here’s how you can remove Hive ransomware from your Windows or Linux device, using antivirus software:

  • Disconnect the infected computer from the internet.
  • Unplug any external storage device connected to the infected computer.
  • Restart the computer in safe mode.
  • Carry out a full scan using your antivirus software.
  • Follow the instructions of the antivirus software to isolate and remove the detected ransomware files.
  • Restart your computer and run another full scan to be sure no traces are left.
  • If available, update your operating system to the latest version.

If you’re not sure about handling the removal yourself, get in touch with an IT professional. Keep in mind that paying the ransom is not recommended because it encourages cybercrime and doesn’t guarantee data recovery.