Hive Log 5
5/26/2026, 9:36:05 AM
Hive11/13/2021, 1:53:00 PM
Hello and welcome to Hive. How may I help you?
Victim11/13/2021, 1:54:00 PM
Hi, decryption key price?
Victim11/13/2021, 1:58:00 PM
how many files are stolen? and can you share some file names?
Victim11/13/2021, 1:59:00 PM
maybe no ones here
Hive11/13/2021, 1:59:00 PM
Hello
Hive11/13/2021, 2:00:00 PM
To decrypt your files you have to pay $20,000,000 in Bitcoin.
Victim11/13/2021, 2:01:00 PM
thats way too much, can you please discount And please share the hash of the ransomware file so we can at least black list it. You have already stolen everything anyway
Hive11/13/2021, 2:03:00 PM
We don't provide any hashes. Every time the software is unique. There is no need of hashes here. It will not help anyway.
Hive11/13/2021, 2:04:00 PM
If you want a discount I would like to see for how much
Victim11/13/2021, 2:04:00 PM
let me talk to the management
Victim11/13/2021, 2:05:00 PM
share some file names?
Hive11/13/2021, 2:05:00 PM
I'll share with you later when my teammate will be online.
Victim11/13/2021, 2:05:00 PM
ok when should I log back in?
Hive11/13/2021, 2:06:00 PM
I don't know. Maybe today
Victim11/13/2021, 2:06:00 PM
ok
Victim11/13/2021, 2:07:00 PM
please ask him/her to share the file names so I can have them when I login, its not easy to use TOR here
Hive11/13/2021, 2:07:00 PM
Okay, I'll do my best
Victim11/13/2021, 2:08:00 PM
thanks
Hive11/13/2021, 4:16:00 PM
I have uploaded the list of exfiltrated files.
Victim11/13/2021, 6:10:00 PM
where? I cant see them
Victim11/13/2021, 6:14:00 PM
is it like 100G?
Hive11/13/2021, 7:07:00 PM
It's at the left panel titled Uploaded files
Hive11/13/2021, 7:27:00 PM
I uploaded a list of files not the files themselves
Victim11/14/2021, 4:38:00 AM
yes got it, thanks
Victim11/14/2021, 4:38:00 AM
you can delete it now
Victim11/14/2021, 4:41:00 AM
Can you please share the hash of the ransomware. SO we can just add it to black list and ask the management for money. They are scared that the payload will come back. If you can't I understand but this will make th eprocess easy
Hive11/14/2021, 4:56:00 AM
We are well-known organization. We honor our agreements. There is no point in the blacklist right now. You need to concentrate on how to collect money.
Hive11/14/2021, 7:19:00 AM
I have another option for you. You will give me your email address (protonmail is preferred) and I'll send you new credentials to login. Then I'll upload the encryptor to VirusTotal and provide you a link to it. All necessary hashes will be available there. But to prevent others to login to your customer website you have to get new credentials first.
Victim11/14/2021, 8:58:00 AM
Here [redacted]@protonmail.com
Victim11/14/2021, 8:58:00 AM
just like you wanted ... protonmail
Victim11/14/2021, 8:59:00 AM
please keep your word, I will login again in a bit or check my email
Victim11/14/2021, 9:38:00 AM
BTW, the site you guys made is beautiful. Better support than normal companies :)
Hive11/14/2021, 9:38:00 AM
Thank you
Victim11/14/2021, 9:40:00 AM
did you upload the file?
Victim11/14/2021, 9:40:00 AM
and why did you change my creds ... are you planing to hack me too ? :(((((
Hive11/14/2021, 9:41:00 AM
The encryptor didn't uploaded yet, looking for it rn.
Hive11/14/2021, 9:42:00 AM
What do you mean about creds? From what?
Victim11/14/2021, 9:43:00 AM
you change the credential to login to this site
Hive11/14/2021, 9:45:00 AM
It was necessary because whether I upload the encryptor other researchers will be able to login and read your conversation.
Hive11/14/2021, 9:45:00 AM
It's a potential data leakage so I have prevented it
Victim11/14/2021, 9:46:00 AM
Thanks
Victim11/14/2021, 9:50:00 AM
would you share the link here or email?
Hive11/14/2021, 9:50:00 AM
Here is safe now
Victim11/14/2021, 9:51:00 AM
ok
Victim11/14/2021, 9:56:00 AM
why do you prefer protonmail?
Victim11/14/2021, 9:56:00 AM
is it on tor?
Hive11/14/2021, 9:57:00 AM
https://www.virustotal.com/gui/file/12baa6c83e6f8b059e7f14cb67bdad4e917b90bc8a139b5379a4b42a0c92a6be?nocache=1
Victim11/14/2021, 9:58:00 AM
Thanks. I dont have virus total account but at least I got the hash. Really appreciat eit
Victim11/14/2021, 10:01:00 AM
we have mcafee and symantec and nothing prevented this :(
Hive11/14/2021, 10:02:00 AM
Actually I didn't spend too much time to hide it but I will
Hive11/14/2021, 10:02:00 AM
What a recovery company are you from?
Victim11/14/2021, 10:03:00 AM
not from company, directly the SOC team
Hive11/14/2021, 10:04:00 AM
I got it
Victim11/14/2021, 10:04:00 AM
working with the management to do something
Victim11/14/2021, 10:05:00 AM
they may hire someone in hope of recovery.
Hive11/14/2021, 10:06:00 AM
Unfortunately for them there are only two options: 1) start from a scratch 2) purchase the decryption software from us
Victim11/14/2021, 10:07:00 AM
yes I have provided all the data
Hive11/14/2021, 10:08:00 AM
Recovery companies no matter what they say can't decrypt.
Victim11/14/2021, 10:08:00 AM
I understand but in the demo they show us how they can do the magic and impress the management
Victim11/14/2021, 10:09:00 AM
THey told us that they will recover the keys from the memory and then decrypt files? is that possible?
Hive11/14/2021, 10:09:00 AM
For ESXi servers it's not possible
Victim11/14/2021, 10:11:00 AM
why not? please educate me to I can understand and tell the management not to waste time. We have way too many vendors here
Hive11/14/2021, 10:12:00 AM
The encryptor software rewrites the key from memory.
Victim11/14/2021, 10:13:00 AM
what? :( ... liek in simple words please?
Hive11/14/2021, 10:13:00 AM
Array of bytes in memory where the key resides in rewrites to prevent such operation
Victim11/14/2021, 5:39:00 PM
Thats awesome. Is this for all servers or only esxi?
Hive11/14/2021, 5:50:00 PM
For all of course
Victim11/14/2021, 5:53:00 PM
so if we end-up hiring a company that charges us $400 an hour, its pretty much useless?
Victim11/14/2021, 5:54:00 PM
BTW, the array of memory that you mentioned, these are the public keys or the private keys?
Hive11/14/2021, 5:57:00 PM
Encryptor even don't know anything about private keys. It only has public keys. Public keys need to encrypt random field which uses in encryption process.
Hive11/14/2021, 5:59:00 PM
In my opinion spending money to external IT companies will only waste your valuable time.
Victim11/14/2021, 6:00:00 PM
Thanks, appreciate it. Its clear to me now
Victim11/16/2021, 6:24:00 AM
Hey, how much data have you stolen 100Gig?
Victim11/16/2021, 6:25:00 AM
And the price you provided $20,000,000 is way too much
Victim11/16/2021, 6:25:00 AM
This is 20 million $?????
Hive11/16/2021, 6:29:00 AM
Yes, your company has $2B revenue. We usually rate 1% of revenue
Victim11/16/2021, 6:34:00 AM
:( And the total you have stolen in GB?
Victim11/16/2021, 6:36:00 AM
I am guessing you used the VPN to get on the network. Did you steal the credentials after that? SYmantec and McAfee didn't prevent stealing credentials?
Hive11/16/2021, 7:40:00 AM
We have 32 Gb total. Almost all AntiViruses are useless against real hackers.
Victim11/17/2021, 5:16:00 AM
unfortunate but true
Victim11/17/2021, 5:17:00 AM
For some reason the IT guy told us that they can see certain portion of files and they could be decrypted.
Victim11/17/2021, 5:17:00 AM
I think you are only encrypting certain portion of files right? they can see the file content in bigger files
Hive11/17/2021, 5:31:00 AM
There is a spotted encryption mechanism. If you are talking about ESXi files then I don't think they can. Some text files - yes
Victim11/17/2021, 5:35:00 AM
I mean the big files are not fully encrypted. They are encypted at the header and then footer I think ... but in the middle one can see the text.
Hive11/17/2021, 7:33:00 AM
It's true. First 4Kb, the last, and a few blocks in the middle
Victim11/17/2021, 8:34:00 AM
But this is nto true for ESXi files? everything for them is encrypted?
Victim11/17/2021, 8:36:00 AM
also how efficient is your encryption process? are you faster than lockbit2.0?
Victim11/17/2021, 8:37:00 AM
we also got one file for lockbit but was protected that was few weeks ago
Hive11/17/2021, 9:36:00 AM
I didn't compare it with lockbit but my software is quite fast, especially ESXi
Hive11/17/2021, 9:38:00 AM
How is it going with decision making?
Victim11/17/2021, 9:43:00 AM
its slow, we provided all the data and making sure they understand the complexity
Victim11/17/2021, 9:44:00 AM
But for the esxi part, you don't use partial encryption? and everything is encrypted?
Victim11/17/2021, 9:44:00 AM
not just 4kb header etc
Victim11/17/2021, 10:04:00 AM
can you please explain 2 things to understand . Explain a bit more on how you re-write the keys in the memory and the efficiency of esxi encryption. That way I can explain to everyone as well, that no hope for recovery
Victim11/17/2021, 10:05:00 AM
most probly I will ask for discount shirtly
Hive11/17/2021, 10:52:00 AM
It's very simple. ESXi files especially virtual drives are very fragile. Even few changes make them unreadable because it has a binary structure. ESXi was encrypted using spot method. 4 Kb of beginning of the files, 4 Kb of ending of the file and along file. Totally 100 Kb over the each file is encrypted. It's a quite enough.
Victim11/17/2021, 10:53:00 AM
cool and the memory re-writing? as I understand you are not creating a new key for each file
Victim11/17/2021, 11:02:00 AM
The memory overwrite is my last question. So I can make sure the SOC team understands
Hive11/17/2021, 11:11:00 AM
When encryptor starts it creates a random field which will be used in encryption process. It is static. After encryption process finishes it rewrites to prevent restoration process. RSA keys private and public only use to encrypt/decrypt the random field. Only knowing the field it's possible to decrypt files. Encryptor has only public RSA keys, decryptor - private RSA keys.
Victim11/17/2021, 11:13:00 AM
by random fields u mean aes?
Hive11/17/2021, 11:13:00 AM
No, a truly cryptographic random field.
Victim11/17/2021, 11:15:00 AM
like PRNG or truly random numbers?
Hive11/17/2021, 11:15:00 AM
Of course not PRNG:)
Victim11/17/2021, 11:15:00 AM
:(
Victim11/17/2021, 11:15:00 AM
can you give me an example
Victim11/17/2021, 11:16:00 AM
so you have the origanal private key. The ransomware generates fields that will encrypt files? are these fields used as keys? for aes?
Victim11/17/2021, 11:17:00 AM
You are one smart guy
Hive11/17/2021, 11:17:00 AM
Actually I already disclose you a lot of details which was never disclosed to anyone. I think it's enough to make a decision.
Victim11/17/2021, 11:18:00 AM
Thanks
Hive11/17/2021, 11:18:00 AM
AES is a chiper, I use a different one - some kind of Vernam's chiper. It's impossible to decrypt without knowing the keys.
Victim11/17/2021, 11:27:00 AM
that means only one key will be used for all files and then re-written
Victim11/17/2021, 11:27:00 AM
so no way to get back
Hive11/17/2021, 11:31:00 AM
In simplified version the key used to encrypt all files. It exports to the disk using a few RSA public keys applied. Then encryption process follows. After that the key rewrites to prevent recovery from memory. Decryption software has RSA private keys to initially decrypt the exported key.
Victim11/17/2021, 11:40:00 AM
Whats the BTC address or wallet?
Hive11/17/2021, 11:51:00 AM
I made an offer at the right panel
Victim11/17/2021, 11:54:00 AM
you came into the network via global protect. Are you still on the network?
Hive11/17/2021, 11:55:00 AM
No
Victim11/17/2021, 11:55:00 AM
you are very honest for a hacker
Hive11/17/2021, 11:56:00 AM
We are all honest who works at Hive
Victim11/17/2021, 11:57:00 AM
but they say you hacked hospitals like [redacted] etc
Hive11/17/2021, 11:58:00 AM
Yes, we attack every targets, we have no limits here. It's not related with honesty
Victim11/17/2021, 11:59:00 AM
Got it
Victim11/20/2021, 6:07:00 PM
I think the time is up :(
Hive11/20/2021, 7:58:00 PM
Don't worry you have time. Tell me how is it going with upper management please
Victim11/24/2021, 4:57:00 AM
working on it, tough situation
Hive11/29/2021, 7:02:00 AM
Hi, how is it going?
Victim12/3/2021, 3:53:00 PM
good thanks
Victim12/3/2021, 3:56:00 PM
how r u
Hive12/3/2021, 4:17:00 PM
I'm good too. I just wanted to know to what direction your company inclined right now. By the way, what about a recovery process from memory from recovery company you told earlier?
Victim12/5/2021, 5:26:00 AM
They think the recovery is possible
Victim12/5/2021, 5:26:00 AM
also backup etc
Hive12/5/2021, 6:06:00 AM
Let's play with the price. I think both your management and our side want to resolve this as quick as possible
Victim12/6/2021, 8:57:00 AM
Whats the best price?
Victim12/6/2021, 8:58:00 AM
I am not sure if 333 is even remotely possible
VictimInvalid Date
They won't even consider 80 a possibility
Hive12/6/2021, 11:01:00 AM
I can offer you $3,000,000 in Bitcoin.