A decryption key for malware deployed by the ransomware gang Hive has been released in response to an uptick in activity from the gang in the past three months. Hive has also switched to a more complex coding language called Rust, which is harder to decrypt, making the key even more valuable.
The decryption tool for version five of Hive’s malware has been released by a malware analyst and reverse engineer known publicly as reecDeep. The key can be found on Github and was created in order to try and quell recent mounting attacks by the gang.
Hive has been ramping up activity in recent months, particularly targeting healthcare organisations. In May, the gang was named by the US Department of Health and Human Services as one of the top-five cybercrime gangs that attacked healthcare services in Q1 2022, with Hive taking credit for 11% of attacks.
Speaking to Tech Monitor, ‘reecDeep’ said the nature of Hive’s attacks meant they felt inspired to build the key and make it publicly available. “Dozens of companies stop doing business because of gangs of criminals. Hospitals are affected by disruption and are unable to provide care to their patients,” they said.
Hive was first spotted in June last year, and in 2021 the gang attacked more than 350 companies, mainly in the health and financial sectors, says a report by security company Group I-B.
Allan Liska, computer security incident response team head at security company Recorded Future, said the gang has been even busier this year. “Since May of 2022 Hive has accounted for 6.8% of all postings to extortion sites, which has them tied for second-most active group with Black Cat, which is definitely a notable jump,” Liska says.
The gang has also recently updated its coding language to Rust, which is much harder to reverse engineer. "The malware used by Hive being written in the Rust programming language improves the gang's ability to remain undetected," explains Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
Hive's constant improvements are effectively an overhaul, says a report by Microsoft’s Threat Intelligence Center: “The most notable changes include a full code migration to another programming language and the use of a more complex encryption method. The impact of these updates is far-reaching… It offers memory, data type and thread safety and deep control over low-level resources,” states the report.
Does Hive have links to Conti?
The updated use of the Rust programming language from its initial language GoLang not only shows the gang’s versatility, but could also betray links to Conti. The ransomware gang disbanded after its sustained attack on the Costa Rican government earlier this year, with its members thought to be joining rival gangs.
BlackCat and Hive were two gangs that researchers predicted would take on Conti members, and since Conti has disappeared from the scene, both have updated to using Rust. “This probably means both have taken on Conti members,” Liska says.