The Hive Ransomware Group has had more than 1,500 victims across more than 80 countries worldwide. They attacked hospitals, school districts, financial firms, and critical infrastructure until the U.S. Department of Justice (DOJ) disrupted their operations. Have we seen the fall of the group’s entire infrastructure?

Our indicator of compromise (IoC) expansion analysis found more digital breadcrumbs, including:

• Six IP address resolutions of the domains identified as IoCs
• 936 domains that shared the IoCs’ IP hosts, six of which turned out to be malicious
• 28 domains that contained the string privatlab akin to two of the IoCs, one of which was deemed malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Following the Digital Trail Hive Left Behind

Our expansion analysis began by obtaining a list of Hive ransomware IoCs from AlienVault, which included six domains and 19 IP addresses, namely:

• swhw71un[.]pw
• r77vh0[.]pw
• d6shiiwz[.]pw
• s7610rir[.]pw
• privatlab[.]net
• privatlab[.]com
• 158[.]69[.]36[.]149
• 93[.]115[.]26[.]251
• 93[.]115[.]25[.]139
• 89[.]147[.]109[.]208
• 84[.]32[.]188[.]57
• 84[.]32[.]188[.]238
• 5[.]61[.]37[.]207
• 5[.]199[.]162[.]229
• 46[.]166[.]169[.]34
• 46[.]166[.]162[.]96
• 46[.]166[.]161[.]123
• 192[.]53[.]123[.]202
• 186[.]111[.]136[.]37
• 185[.]8[.]105[.]67
• 185[.]8[.]105[.]112
• 185[.]8[.]105[.]103
• 185[.]247[.]71[.]106
• 181[.]231[.]81[.]239
• 108[.]62[.]118[.]190

A bulk WHOIS lookup for the six domains showed they were managed by four registrars—REG.RU, LLC; Web4Africa Ltd.; PDR Ltd.; and GoDaddy.com, LLC. Three of them—s7610rir[.]pw, d6shiiwz[.]pw, and r77vh0[.]pw—also had unredacted registrant email addresses.

A bulk IP geolocation lookup for the IP addresses, meanwhile, revealed they were administered by nine Internet service providers (ISPs)—OVH Hosting; UAB Cherry Servers; 1984 ehf; LeaseWeb DE; Akamai Technologies, Inc.; Telecom Argentina S.A.; M247 Europe SRL; Telecom Argentina S.A.; and Leaseweb USA, Inc. spread across eight countries—Canada, Lithuania, Iceland, the Netherlands, Germany, Argentina, Sweden, and the U.S.

Using the domains identified as IoCs as DNS lookup terms led to the discovery of six IP addresses that aren’t part of the Hive ransomware IoC list. Three of these are 172[.]217[.]20[.]206, 194[.]58[.]112[.]174, and 216[.]58[.]212[.]174. IP geolocation lookups for them showed that half were private hosts (hosting 5—15 domains each) while the remaining were shared (hosting at least 300 domains each).

After that, we used the IP addresses in the original IoC list and the additional ones we uncovered as reverse IP lookup terms. That gave us 936 additional domains, six of which were malicious. Two of them—11toon17[.]com and 85porn[.]cc—currently host or redirect to live content.

Our initial look at the domains tagged as IoCs also revealed a unique-looking string—privatlab. Scouring the DNS for other domains containing this string led to the discovery of 31 additional domains, one of which was malicious—laskyduniganprivatlab[.]com. And while the remaining domains containing the string privatlab weren’t deemed malicious, the Hive ransomware group could easily commandeer and weaponize them for future attacks.

It’s also interesting to note that some of the string-connected domains shared other similarities with those tagged as IoCs, such as their registrar (PDR Ltd. and REG.RU, LLC), creation year (2015), and registrant country (Iceland and the U.S.).

Screenshot lookups for the privatlab-containing domains showed that 21 are unreachable, three are currently up for sale, and four are live. Among those that are accessible, one looks like a legitimate business website—privatlab[.]cc.

The purpose of the content hosted on the remaining three domains, however, was less clear. All three had the same content, one line that reads “A galaxy is made of stars.”

The Verdict

While the U.S. DOJ managed to decommission the Hive Ransomware Group’s malicious infrastructure, it seems they’ve left some digital breadcrumbs that pointed to 970 yet-undisclosed web properties that could possibly be connected to the Hive ransomware via an IP host or unique string. Our IoC expansion analysis also led to the discovery of seven malware-hosting domains.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.