Hive is a relatively new ransomware outfit that made its appearance in late June 2021. It gained notoriety through attacks on organizations across several sectors. A report indicated that the ransomware group and its affiliates had breached more than 350 organizations in just over four months. This means that the affiliates made attack attempts at an average of three companies per day since the group became active in June.
As the ransomware group continued to ensnare more targets, a group of academics came up with a method that could help organizations recover their hijacked and encrypted data. In February 2022, the researchers found a way to exploit a security flaw in the encryption algorithm to recover the master key and restore data. Despite this major development, the attackers remained undeterred and continued to work on improving the capabilities of the ransomware.
The technique involves the use of IPv4 addresses that eventually lead to the download of the Cobalt Strike Beacon.
The attackers conceal 64-bit Windows executable files in the form of an array of ASCII IPv4 addresses that look legitimate to unsuspecting eyes. Each of these executable files contains a payload that delivers the Cobalt Strike.
Other changes observed
The Hive ransomware group also updated its VMware ESXi Linux encryptor to the Rust programming language to make the ransomware sample more efficient and harder to reverse engineer.
The feature is borrowed from the BlackCat ransomware operation.
Additionally, the gang added other new features to make it difficult for security researchers to snoop on victim’s ransom negotiations.
Despite being relatively new, Hive has already made its mark as one of the most prolific and aggressive ransomware families today. Research indicates that the manner in which the gang conducts its malicious operations can provide an incentive for new affiliates to join them. The Hive operators are also known to constantly refine and diversify their TTPs. So, it is important for companies to stay vigilant and be well-informed of potential threats.