Microsoft Exchange Servers are Being Infected with Ransomware

Amid warnings from multiple US government departments, researchers have observed attacks orchestrated by threat group Hive.

A threat group known as ‘Hive’ has been infiltrating Microsoft exchange servers with the goal of infecting unsuspecting victims with ransomware.

According to some reports, the group has been using this tactic since last summer – but recent attacks have given security researchers insight into their tactics.

The presence of Hive – and the fact it operates a ransomware-as-a-service model in which Hive ransomware can be used by others to conduct other attacks – means its never been more crucial to invest in antivirus software and other tools to keep you safe.

How does Hive Ransomware Work?

“During a recent engagement with a customer, the Varonis Forensics Team investigated a ransomware incident”, The Varonis Forensics Team‘s Nadav Ovadia writes in a post.

In the attack the team studied, Hive commenced its assault via the exploitation of ProxyShell, a collection of Microsoft Exchange Server vulnerabilities (and critical ones at that) that provide a way for attackers to remotely execute code. Microsoft reportedly patched this problem in 2021.

Once exploited, a webshell (a malicious script that creates a back door), sets the stage for the execution of Powershell code that facilitates the threat actors gaining system-level privileges. The backdoor is maintained so the group can continue attacking, and Cobalt strike stagers are downloaded.

” the actor managed to achieve its malicious goals and encrypt the environment in less than 72 hours from the initial compromise” Varonis Forensics Team.

Administrator user accounts are then created and the domain Administrator NTLM hash is swiped from the system. With this, Hive can control the domain admin account.

After this process is completed, the ransomware payload can be delivered to the unsuspecting victim’s computer. Files are encrypted and a sum is demanded for decryption- payable through what the ransom note calls its “Sales Department” (which is only reachable to a .onion address).

Who are Hive?

As the US Department for Health and Human Services stated in a document published just days ago, the organization is an “exceptionally aggressive, financially-motivated ransomware group” who have “historically targeted healthcare organizations frequently.”

However, the group has also been known to target financial companies, businesses in the energy sector, and even non-profits. By the third quarter of 2021 – just a few months after they commenced operations – they were already the fourth most active ransomware operators, the HHS also said.

Activities the group is involved in include double extortion (stealing data before its encrypted), which culminates in them posting stolen data on their data leak site. They often use “common (but effective) infection vectors” including RDP and VPN compromises.

The HHS also says the group trawl through the systems of victims and delete data they’ve attempted to back up, as well as things like shadow copies. The government department’s paper also details how Hive members have been known to ring up victims in order to pressure them into paying.

Should I be Upgrading my Company’s Security?

Yes, especially if you’re a small business – about 82% of ransomware attacks involve small businesses being targeted. It’s vitally important you take the steps to protect your company sooner rather than later, because the data breaches can be financially fatal.

One piece of software that can help is antivirus software. Most modern-day antivirus software programs come with features to protect you against the threat of ransomware, such as real-time file backups when suspicious files are detected on the system.

If you already have antivirus software installed, reviewing your package – and seeing if there are any updates that need to be downloaded – is never a bad idea.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Aaron Drapkin is a Lead Writer at He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol five years ago. As a writer, Aaron takes a special interest in VPNs, cybersecurity, and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and covering a wide range of topics.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals