New Hive ransomware variant is written in Rust and use improved encryption method

Hive ransomware operators have improved their file-encrypting module by migrating to Rust language and adopting a more sophisticated encryption method.

The operators of the Hive ransomware upgraded their malware by migrating the malware to the Rust language and implementing a more sophisticated encryption method, Microsoft researchers warn.

“The upgrades in the latest variant are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method.” reads the post published by Microsoft. “The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237.”

These upgrades prove that Hive is one of the fastest evolving ransomware families in the cybercrime ecosystem.

The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) has released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive ransomware is one of the top 10 ransomware strains by revenue in 2021. The group used a variety of attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.

The Microsoft Threat Intelligence Center (MSTIC) researchers discovered the new variant, while analyzing a new technique used by the ransomware for dropping .key files.

The main difference between the new variant of the Hive ransomware and old ones is the programming language used by the operators. The old variants were written in Go language, while the new Hive variant is written in Rust.

Other ransomware families have migrated their code to Rust such as the BlackCat one which was the first. The porting to Rust language provides the following advantages:

  • It offers memory, data type, and thread safety
  • It has deep control over low-level resources
  • It has a user-friendly syntax
  • It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption
  • It has a good variety of cryptographic libraries
  • It’s relatively more difficult to reverse-engineer

The most important change in the latest Hive variant is the encryption mechanism it adopts. The new variant was first uploaded to VirusTotal on February 21, 2022, just a few days after a group of researchers from Kookmin University in South Korea shared details about research on how to decrypt data from systems infected with the Hive ransomware.

“The new variant uses a different set of algorithms: Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher).” continues Microsoft.

The new variant generates two sets of keys in memory, uses them to encrypt the files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension. The old variants, instead, were embedding an encrypted key in each file that they encrypt.

The analysis of the latest variant revealed the uses of string encryption that can make it more evasive. In the old Hive variants, the credentials to access the Hive ransom payment website were embedded in the samples, in the new variant, they must be supplied in the command line under the “-u” parameter. This change implied that it is impossible to obtain them by analyzing the sample.

Microsoft researchers shared indicators of compromise (IoC) for the new variant and recommend organizations to use them to investigate whether they exist in their environment and assess for potential intrusion.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Hive ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Experts observed approximately 120 malicious campaigns using the Rafel RAT

Multiple threat actors are using an open-source Android remote administration tool called Rafel RAT to target Android…

42 mins ago

LockBit claims the hack of the US Federal Reserve

The Lockbit ransomware group announced that it had breached the US Federal Reserve and exfiltrated…

4 hours ago

Ransomware threat landscape Jan-Apr 2024: insights and challenges

Between Jan and Apr 2024, the global ransomware landscape witnessed significant activity, with 1420 ransomware…

5 hours ago

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

The cybercrime group ExCobalt targeted Russian organizations in multiple sectors with a previously unknown backdoor…

6 hours ago

Threat actor attempts to sell 30 million customer records allegedly stolen from TEG

A threat actor is offering for sale customer data allegedly stolen from the Australia-based live…

16 hours ago

Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

This website uses cookies.