The Hive ransomware, which emerged last June 2021, has made its name in the cybercrime scene by attacking over 350 firms from different sectors in only four months since it appeared. This activity rate of the threat group shows that they attack three companies on average daily.
Since the attack activity of the Hive threat group had begun to alert cybersecurity experts, they have established a method to aid the affected organisations in recovering their stolen or encrypted sensitive company data.
Experts found a security flaw in Hive ransomware’s encryption algorithm amid their research in February 2022, which they have exploited to recover the master key and restore victims’ stolen data. This finding has helped many of the threat group’s victims retrieve their sensitive company data and has marked a major development for cybersecurity experts.
Despite the setback for its operators, Hive ransomware has persisted in improving its capabilities.
One of the major updates in the ransomware’s features is a new IPfuscation technique used to hide the payload in an infected device. The usage of IPv4 addresses is vital in this new technique as it would result in downloading the Cobalt Strike Beacon.
Furthermore, the threat group hides 64-bit Windows executable files through different fake ASCII IPv4 addresses, which pose as authentic for its unaware victims. The executable files have a payload for each that will eventually distribute Cobalt Strike.
Another update that analysts had noticed is the ransomware group’s VMware ESXi Linux encryptor being upgraded to the Rust programming language, enabling Hive to become harder to reverse-engineered and more efficient in making its attacks.
The analysts noted that this feature is mimicked from how the BlackCat ransomware operation is executed. Further added features include complicating the ransomware to prohibit researchers from observing ransom negotiations between the operators and the victims.
Being new in the cybercrime landscape did not hinder Hive from being one of the most notorious ransomware threat groups. Since the new features found in their operations appeal to other criminals, experts believe that the gang’s affiliates will eventually expand.