Hive Ransomware is different from many other forms of ransomware because it uses an Advanced Encryption Standard (AES) algorithm, which is so strong that there are no decryption tools available at this time.
This particular ransomware is a new breed of ransomware that targets corporate networks, not individual end-users. It’s delivered via email, just like the other malware families that threaten companies today.
Hive (also known as Swarm) ransomware is a file-encrypting virus that spreads using spam emails containing infected attachments disguised as legitimate documents. The attackers behind this infection demand victims pay a ransom in exchange for decryption tools and keys. They say that you need to pay up within 14 days or so.
Do You Know?
It has emerged that malware codenamed “Hive” was used by cybercriminals to distribute crypto-ransomware for two years before its discovery. How does this malware work?
- Hive will encrypt the contents of a company’s file servers, databases, SharePoint and Exchange servers, and backup storage devices. By doing this, it effectively locks a company out of its most important data.
- The ransom payment itself is made in Bitcoin and is often routed through several different Bitcoin wallets to minimize the chances that law enforcement can trace it back to the attackers. Bitcoin is currently the preferred currency for making ransom payments because of how difficult it is to trace.
- Compared with WannaCry and Petya/NotPetya from last year, the consequences of Hive are more localized to a specific company since it only affected companies that failed to patch their systems following the Equation Group Shadow Brokers leak.
Hive Ransomware: Overview
This ransomware is a malware virus that locks users’ files and leaves them inaccessible. Hive ransomware was first distributed in March 2016 and successfully launched just a few days ago. The developer of the ransomware provides buyers with one free decryption for every 10 or 20 purchases of the key, creating a ransomware variation in which victims can pay (albeit at extortionate prices) for unlocking their files. You can learn about the newest hacking trend and what you can do to protect yourself from it.
How does Hive Ransomware Encrypt Files?
Hive Ransomware is simple and efficient ransomware that encrypts files and asks for a ransom to get them back. Hive Ransomware encrypts files by appending the “.hive” extension to the filename. When a user downloads an infected file, that specific file will be encrypted and a ransom note will be shown, informing them of the infection and how to pay for it. All your files will be encrypted and named .enc by Hive.
Note: It uses AES-256 encryption with a dynamic key which is generated with Twofish encryption to encrypt files on infected computers.
Encryption of files is also done with an RSA 2048-bit key and encrypted with the AES 128-bit algorithm.
- Hive Ransomware typically encrypts files using AES or RSA-2048 and then displays a ransom notice to the victim with instructions on how to purchase and use Bitcoin.
- Files are usually encrypted with public and private keys, which are stored in the Ransomware’s code or on a remote server. The private key can be decrypted with a key generated by using the public key, which is typically obtained from the Ransomware’s code or server.
You can learn about all of the things Hive Ransomware will do to your computer and files, but the easiest way to understand how Hive Ransomware encrypts files is by comparing it to other types of encryption. For example, while AES encryption requires a password and sometimes a key, Hive Ransomware creates a “key-pair” which is a public and private key: one that is kept hidden on an outside server and one saved on your computer.
To avoid being targeted by Hive or any similar future attacks, companies should be sure they’re following Microsoft’s security patches as they are released.