Microsoft security researchers have discovered new variants of the one-year-old Hive ransomware that was written in the Go programming language but has been re-written in Rust.
Hive emerged in June 2021 and was spotlighted by the FBI in an alert two months later. In November, European electronics retail giant MediaMarkt also got stung by Hive. It’s another ransomware-as-a-service (RaaS) double-extortion gang that has recently been targeting vulnerable Microsoft Exchange Servers, vulnerable RDP servers, compromised VPN credentials, and phishing to deploy their ransomware and steal leak-worthy information.
More Microsoft
Hive’s Rust migration has been underway for a few months as it adopted lessons from BlackCat ransomware, which is also written in Rust. Via BleepingComputer, Group-IB researchers in March found that Hive had converted its Linux encryptor (for targeting VMware ESXi servers) to Rust to make it harder for security researchers to spy on its ransom talks with victims.
SEE: These are the cybersecurity threats of tomorrow that you should be thinking about today
Microsoft’s analysis indicates that Hive’s Rust rewrite is much more comprehensive, but backs up the importance of the change to its encryption methods noted in March.
“The upgrades in the latest variant [of Hive] are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method,” Microsoft Threat Intelligence Center (MSTIC) said in a blogpost.
“The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237.”
Microsoft lists the main benefits of Rust over other languages that make it one of the most desired languages among programmers, such as better memory safety and good crypto library support.
The benefits to Hive of moving to Rust, according to Microsoft are:
- It offers memory, data type, and thread safety
- It has deep control over low-level resources
- It has a user-friendly syntax
- It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption
- It has a good variety of cryptographic libraries
- It’s relatively more difficult to reverse-engineer
Microsoft found that the new ransom note differs from the one used in older variants. The new note instructs victims: “Do not delete or reinstall VMs. There will be nothing to decrypt” and “Do not modify, rename or delete *.key files. Your data will be undecryptable.” The *.key files are the files that Hive has encrypted.
It reckons the most interesting change to Hive was the new cryptography mechanism, which happened in late February, a few days after researchers from Kookmin University in South Korea published the paper “A Method for Decrypting Data Infected with Hive Ransomware”. The researchers recovered 95% of the master key without Hive’s RSA private key and then decrypted the data.
Hive also adopted a unique approach to file encryption.
“Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension,” Microsoft notes.