Security researchers report the discovery of a new ransomware which displays similarities to Hive. The latter has been considered one of the most prominent ransomware families of 2021, successfully breaching more than 300 organizations in just four months, Trend Micro’s report pointed out. In March, the researchers detected evidence of another, relatively unknown ransomware, known as Nokoyawa.
It seems that Nokoyawa and Hive are related, sharing some striking similarities in their attack chain, including the tools they use to execute the infection steps. Trend Micro said that most targeted organizations are located in South America, mostly in Argentina.
Hive and Nokoyawa Ransomware Families: the Similarities
One of the most striking similarities is the utilization of the Cobalt Strike exploit, which is used for the “arrival” part on the targeted system. Other tools both ransomware seem to use include the anti-rootkit scanners GMER and PC Hunter for evasion. Both malware pieces also perform information gathering and lateral deployment in a similar fashion.
Other tools in Hive ransomware’s equipment include NirSoft and MalXMR miner, used to enhance attack capabilities according to the target’s environment. Trend Micro’s analysis revealed that Nokoyawa uses the same tricks against its victims. “We’ve observed the ransomware leverage other tools such as. Mimikatz, Z0Miner, and Boxter. We also found evidence based on one of the IP addresses used by Nokoyawa that the two ransomware families share the same infrastructure,” the researchers added.
In terms of how Nokoyawa is delivered on the system, there has been no certain evidence yet. But considering all the similarities it shares with Hive, the ransomware operators are most likely relying on phishing emails for infiltration into the system.
It is noteworthy that Cobalt Strike post-exploitation tool has been quite popular among ransomware groups. However, by analyzing the bigger picture, it definitely seems that the two ransomware families are related. The information gathered so far definitely implies that Hive’s operators are now using another family, Nokoyawa.
There’s still no evidence that the new ransomware family is using the double extortion technique, unlike Hive, which has been using it in its attacks, the report pointed out.
Hive Ransomware’s Encryption Was Deciphered Recently
It is noteworthy that Hive’s encryption was defeated recently, as security researchers found a way to decipher its encryption algorithm without using the master key. A group of academics from South Korea’s Kookmin University have shared their curious findings in a detailed report titled “A Method for Decrypting Data Infected with Hive Ransomware”. Apparently, the researchers were able to “recover the master key for generating the file encryption key without the attacker’s private key, by using a cryptographic vulnerability identified through analysis.”
Hive uses a hybrid encryption and its own symmetric cipher to encrypt the victim’s files. The researchers were able to recover the master key that generates the file encryption key without the private key owned by the attackers. This was possible due to a cryptographic flaw they discovered during analysis. As a result of their experience, encrypted files were successfully decrypted using the recovered master key, the report said.