View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Hive ransomware decryption key released as gang evolves its tactics

A decryption key has been made available online to help affected organisations, as the gang changes tactics.

By Claudia Glover

A decryption key for malware deployed by the ransomware gang Hive has been released in response to an uptick in activity from the gang in the past three months. Hive has also switched to a more complex coding language called Rust, which is harder to decrypt, making the key even more valuable.

Hive ransomware has been active in the healthcare sector. (Photo by Anadolu Agency/iStock)

The decryption tool for version five of Hive’s malware has been released by a malware analyst and reverse engineer known publicly as reecDeep. The key can be found on Github and was created in order to try and quell recent mounting attacks by the gang. 

Hive has been ramping up activity in recent months, particularly targeting healthcare organisations. In May, the gang was named by the US Department of Health and Human Services as one of the top-five cybercrime gangs that attacked healthcare services in Q1 2022, with Hive taking credit for 11% of attacks.

Speaking to Tech Monitor, ‘reecDeep’ said the nature of Hive’s attacks meant they felt inspired to build the key and make it publicly available. “Dozens of companies stop doing business because of gangs of criminals. Hospitals are affected by disruption and are unable to provide care to their patients,” they said.

Hive was first spotted in June last year, and in 2021 the gang attacked more than 350 companies, mainly in the health and financial sectors, says a report by security company Group I-B.

Allan Liska, computer security incident response team head at security company Recorded Future, said the gang has been even busier this year. “Since May of 2022 Hive has accounted for 6.8% of all postings to extortion sites, which has them tied for second-most active group with Black Cat, which is definitely a notable jump,” Liska says.

The gang has also recently updated its coding language to Rust, which is much harder to reverse engineer. "The malware used by Hive being written in the Rust programming language improves the gang's ability to remain undetected," explains Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

Content from our partners
Why all businesses must democratise data analytics
How start-ups can take the next step towards scaling up
Unlocking the value of artificial intelligence and machine learning

Hive's constant improvements are effectively an overhaul, says a report by Microsoft’s Threat Intelligence Center: “The most notable changes include a full code migration to another programming language and the use of a more complex encryption method. The impact of these updates is far-reaching… It offers memory, data type and thread safety and deep control over low-level resources,” states the report.

The updated use of the Rust programming language from its initial language GoLang not only shows the gang’s versatility, but could also betray links to Conti. The ransomware gang disbanded after its sustained attack on the Costa Rican government earlier this year, with its members thought to be joining rival gangs.

BlackCat and Hive were two gangs that researchers predicted would take on Conti members, and since Conti has disappeared from the scene, both have updated to using Rust. “This probably means both have taken on Conti members,” Liska says.

Read more: Will Costa Rica attack herald a new wave of Russian cybercrime?

Topics in this article:
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU