Researcher develops Hive ransomware decryption tool

A malware researcher known as "reecDeep" has developed and published a decryption tool on GitHub for the latest version of Hive ransomware.

Published Tuesday, the tool specifically decrypts the version 5 variant of Hive ransomware. Hive was originally written in programming language Go, but more recently the ransomware authors switched to Rust, a language that has overall superior encryption technology and is harder to reverse engineer.

Hive is a ransomware-as-a-service operation that was first discovered last summer. It immediately hit the ground running, claiming hundreds of victims in its first six months. Last year, the ransomware was responsible for compromising European retailer MediaMarkt and allegedly included a demand of $240 million. Earlier this year, Hive claimed an attack against Medicaid provider Partnership HealthPlan of California.

According to the decryption tool's GitHub page, reecDeep developed the tool with a fellow anonymous malware researcher known as "rivitna." The post includes technical details of how Hive v5 works as well as how the researchers developed their brute-force decryption tool.

"I had the pleasure of collaborating with a great malware analyst and reverse engineer @rivitna who in the past has analyzed previous versions of Hive and published code and PoCs regarding their encryption mechanisms," reecDeep wrote in the GitHub post. "He has contributed (not a little) to identify the components involved in the encryption operations of Hive v5, which being written in Rust has become more difficult to analyze."

Asked about compatibility between the decryptor and various v5 updates, reecDeep told SearchSecurity over Twitter direct message that while he hasn't fully confirmed, "as far as I know, minor updates from major version 5, (so 5.1, 5.2 and so on) don't have any improvements on encryption algorithms."

ReecDeep also said v5 "has nothing to do with previous Hive 1-4 versions," which were written in the Go programming language.

Earlier this month, the Microsoft Threat Intelligence Center published a blog post detailing Hive's recent evolution. The post described Hive as "one of the most prevalent ransomware payloads in the ransomware-as-a-service (RaaS) ecosystem."

"The upgrades in the latest variant are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method," the post read. "The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237."

The tech giant recommended that organizations search for known Hive indicators of compromise to assess whether an intrusion has occurred.

Decryption tools like reecDeep's have become increasingly common over the years. For example, security vendor Emsisoft maintains a list of more than 80 free ransomware decryptors, including strains like DeadBolt and SunCrypt.

RaaS operators like Hive have likewise become more prevalent and are one of the key defining aspects of ransomware in 2022, alongside stricter cyber insurance policies and emerging extortion tactics.

Alexander Culafi is a writer, journalist and podcaster based in Boston.