The Hive ransomware operation has developed a Rust version of their encryptor and added new features to prevent curious from snooping on the victim’s ransom negotiations.
According to BleepingComputer, which focused on Linux VMware ESXi encryptor, the Hive ransomware operators have updated their encryptor by introducing features that were implemented in the past by the BlackCat/ALPHV ransomware operation.
The BlackCat ransomware gang, unlike other ransomware operations, removed Tor negotiation URLs from their encryptor to prevent third parties from accessing the negotiation page and interfering in the communication between the victims and the gang. The URL in the BlackCat’s approach is passed as a command-line argument when the encryptor is executed.
In previous infections of Hive ransomware, victims were asked to connect to the negotiation page by using login credentials assigned to them and that were previously stored in the encryptor executable. This was to store credentials represented a weakness in the negotiation process.
The Rust version of the Hive Linux encryptor, version v5, was spotted by the Group-IB security researcher rivitna, who highlighted that is has a 0 detection rate. The researchers also noticed that Hive ransomware operation has ported builds (Windows, Linux, ESXi) to Rust using the same sources.
(SecurityAffairs – hacking, ransomware)