In the digital shadows where hackers and security pros play a constant game of cat and mouse, every little advantage counts. For malware creators, this means their code has to be quick, sneaky, and dependable. Every single line of code is a strategic choice. So, it begs a fascinating question: when the infamous Conti ransomware gang wanted to cover their tracks, why did they pick a little-known hashing algorithm called MurmurHash?
The answer pulls back the curtain on some seriously practical, if malicious, engineering. MurmurHash isn’t the toughest or fanciest algorithm on the block, but for a hacker’s toolkit, it’s perfect. It’s the ‘Goldilocks’ of hashes: not too slow, not too simple, but just right.
The Core Problem: Hiding in Plain Sight with API Hashing
To get why they chose it, we first need to talk about a sneaky trick called API Hashing. Malware, at its core, needs to boss around the Windows operating system to do its dirty work—encrypting files, wiping backups, you name it. It does this by calling up functions from Windows libraries (DLLs), like CreateFileW or CryptEncrypt.
Here’s the catch for the bad guys: these function names are usually just sitting there as plain text in the malware’s code. Antivirus software can easily spot these suspicious keywords. If it sees a program trying to use a bunch of functions for encrypting and deleting files, red flags go up everywhere.
API hashing is their clever workaround. Instead of plain-text names, the malware stores a unique numerical ‘fingerprint’ (a hash) for each function it wants to use. When the malware is running, it quickly scans the Windows libraries, hashes the function names it finds on the fly, and looks for a match with its stored list. Voila! The malware looks much more innocent to any security program that’s just scanning the file.
The goal of API hashing is to replace obvious, searchable text like “CryptEncrypt” with an anonymous number, effectively cloaking the malware’s true capabilities from prying eyes.
Why MurmurHash? The Perfect Recipe for Malice
Okay, so any hash function can turn text into a number. What makes MurmurHash so special that Conti and other malware gangs fell in love with it? It really boils down to a perfect mix of three key things.
1. Blistering Speed and Rock-Solid Reliability
Malware has to be quick on its feet. That whole process of looking up API functions at runtime needs to happen in the blink of an eye. This is where MurmurHash really shines.
- It’s Not Built for Fort Knox: A super-secure hash like SHA-256 is built to be slow and tough to crack, which is great for protecting passwords but total overkill here. Using it would be like using a tank to deliver a pizza—it just slows things down. MurmurHash is a non-cryptographic hash, meaning it’s built for one thing: pure, unadulterated speed.
- It Rarely Gets Confused: MurmurHash is great at giving different inputs a unique hash. Getting a ‘collision’—where two different function names get the same hash—would be disastrous. It would make the malware call the wrong function and probably crash. A crashing program is a useless program. So, Murmur is fast, but it’s also dependable.
2. Radical Simplicity and “Off-the-Shelf” Availability
This might be the biggest reason of all. Hackers are efficient—why reinvent the wheel?
The MurmurHash algorithm is tiny, simple, and best of all, totally free and public. Security researchers are pretty sure the Conti crew just grabbed a standard open-source version of it and dropped it right into their code. It was the easiest possible route—a proven tool that was just sitting there, ready to be used.
A Technical Peek: MurmurHash3 in Python
Want to see just how simple it is? Check out this Python code for the 32-bit MurmurHash3 function. As you can see, it’s basically just a bit of math and bit-shuffling. There are no complicated parts, which means a developer can slap it into a project without any headaches.
def murmur3_x86_32(key, seed=0):
"""Calculates the 32-bit MurmurHash3 value of a given key."""
# MurmurHash3 constants
c1 = 0xcc9e2d51
c2 = 0x1b873593
r1 = 15
r2 = 13
m = 5
n = 0xe6546b64
# Initialize hash value
h1 = seed
length = len(key)
nblocks = length // 4
# Process 4-byte chunks
for i in range(nblocks):
chunk_start = i * 4
k1 = int.from_bytes(key[chunk_start:chunk_start + 4], 'little')
# Mix the chunk into the hash
k1 = (k1 * c1) & 0xFFFFFFFF
k1 = ((k1 << r1) | (k1 >> (32 - r1))) & 0xFFFFFFFF
k1 = (k1 * c2) & 0xFFFFFFFF
h1 ^= k1
h1 = ((h1 << r2) | (h1 >> (32 - r2))) & 0xFFFFFFFF
h1 = (h1 * m + n) & 0xFFFFFFFF
# Process the tail (any remaining bytes)
tail_index = nblocks * 4
k1 = 0
tail_len = length & 3
if tail_len >= 3:
k1 ^= key[tail_index + 2] << 16
if tail_len >= 2:
k1 ^= key[tail_index + 1] << 8
if tail_len >= 1:
k1 ^= key[tail_index]
if tail_len > 0:
k1 = (k1 * c1) & 0xFFFFFFFF
k1 = ((k1 << r1) | (k1 >> (32 - r1))) & 0xFFFFFFFF
k1 = (k1 * c2) & 0xFFFFFFFF
h1 ^= k1
# Finalization mix
h1 ^= length
h1 ^= h1 >> 16
h1 = (h1 * 0x85ebca6b) & 0xFFFFFFFF
h1 ^= h1 >> 13
h1 = (h1 * 0xc2b2ae35) & 0xFFFFFFFF
h1 ^= h1 >> 16
return h1
3. The Sweet Spot Among Other Fast Hashes
Even when you compare it to other speedy hashes, Murmur carves out its own special niche.
- Better than FNV: The FNV hash is another quick and simple option, but it’s more likely to have those pesky collisions we talked about, making it less reliable.
- More Convenient than xxHash: You might hear about xxHash, which is insanely fast—sometimes even faster than Murmur. But Murmur has been around the block. It’s more of a household name in the C++ community. Since we’re just hashing short little function names, that tiny speed difference doesn’t matter. It was just easier to grab the one everyone already knew.
Conclusion: A Lesson in Malicious Pragmatism
So, Conti’s choice to use MurmurHash wasn’t some 5D chess move; it was just smart, cold, and practical. They didn’t pick it because it was the ‘best’ hash in the world, but because it gave them the perfect deadly cocktail of features:
- Fast Enough to not hinder execution.
- Reliable Enough to not cause crashes.
- Simple Enough to be copied and pasted without effort.
It’s a great reminder that in the world of cybersecurity, attackers don’t always win with super-complex secret weapons. More often, they win by cleverly using simple, effective, and public tools for evil. Understanding why they make these choices is how we build better defenses and stay one step ahead in this endless digital chase.
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 