GOLD HAWTHORNE

GOLD HAWTHORNE is a financially motivated threat group responsible for development and distribution of the Hive ransomware. Since June 2021, Hive has been used in post-intrusion ransomware attacks incorporating 'name-and-shame' data theft tactics. GOLD HAWTHORNE operates Hive as a ransomware-as-a-service (RaaS), using affiliates to gain access to victim networks and deploy the ransomware. Hive ransomware intrusions have been characterised by the use of Cobalt Strike, SystemBC, Metasploit, and a number of legitimate tools including ProcDump, PCHunter64, GMER and the Ntdsutil utility.

CTU researchers have observed Hive being distributed using techniques previously associated with GOLD ULRICK Ryuk and Conti intrusions, such as the use of PsExec and a copy.bat batch script, WMI, BITSAdmin, and tool staging in a C:\Share$ directory on compromised domain controllers. This behavior could mean that GOLD ULRICK or one of its affiliates is now using Hive. Alternatively, GOLD HAWTHORNE may be copying publicly documented techniques used by GOLD ULRICK.

On January 26, 2023 the U.S. Department of Justice (DoJ) and Federal Bureau of Investigation (FBI) issued a statement that described the international law enforcement cooperation that resulted in the seizure of some infrastructure associated with the Hive ransomware operation. The statement claimed that Hive ransomware had been targeted against 1,500 victims since GOLD HAWTHORNE started operating in mid-2021. This is considerably more than the 209 victims listed on its leak site, indicating that the number of victims a ransomware group chooses to name might be considerably lower than the actual number. What the long-term impact on GOLD HAWTHORNE and its affiliates' activity will be is not yet clear.