Microsoft security researchers have discovered new variants of the one-year-old Hive ransomware written in the Go programming language but rewritten in Rust.
Hive came into existence in June 2021 and was put in the spotlight by the FBI issued a warning two months later† In November, European electronics retailer MediaMarkt was also stabbed by Hive† It’s another ransomware-as-a-service (RaaS) duplicate extortion gang that’s been around recently targeting vulnerable Microsoft Exchange serversvulnerable RDP servers, compromised VPN credentials, and phishing to deploy their ransomware and steal leak-worthy information.
Hive’s Rust migration has been going on for a few months now as it has taken lessons from BlackCat ransomware, which is also written in Rust. Via BleepingComputer, Group-IB researchers in March discovered that Hive had converted its Linux encryptor (for targeting VMware ESXi servers) to Rust to make it more difficult for security researchers to spy on its ransom conversations with victims.
Microsoft’s analysis indicates that Hive’s Rust rewrite is much more comprehensive, but supports the importance of the change in encryption methods noted in March.
“The upgrades in the latest variant [of Hive] are in fact an overhaul: the most notable changes include a full code migration to a different programming language and the use of a more complex encryption method,” Microsoft Threat Intelligence Center (MSTIC) said in a blog post†
“The impact of these updates is far-reaching, as Hive is a RaaS payload that Microsoft has observed in attacks on healthcare and software industry organizations by major ransomware affiliates such as DEV-0237†
Microsoft lists the main advantages of Rust over other languages that make it one of the most desired languages among programmers, such as better memory security and good support for crypto libraries.
According to Microsoft, the benefits for Hive of moving to Rust are:
- It provides memory, data type and thread safety
- It has deep control over low-level resources
- It has a user-friendly syntax
- It has several mechanisms for concurrency and parallelism, enabling fast and secure file encryption
- It has a good variety of cryptographic libraries
- It is relatively more difficult to reverse engineer
Microsoft found that the new ransom note is different from the one used in older variants. The new note instructs victims: “Do not delete or install VMs. There is nothing to decrypt” and “Do not modify, rename or delete *.key files. Your data will not be decryptable.” The *.key files are the files that Hive has encrypted.
It thinks the most interesting change to Hive was the new cryptography mechanism, which took place in late February, a few days after researchers from South Korea’s Kookmin University published the paper. “A Method for Decrypting Data Infected with Hive Ransomware”† The researchers recovered 95% of the master key without Hive’s RSA private key and then decrypted the data.
Hive also took a unique approach to file encryption.
“Instead of embedding an encrypted key in every file it encrypts, it generates two sets of keys in memory, uses them to encrypt files and encrypts, and then writes the sets to the root of the disk it encrypts, both with a .key extension,” notes Microsoft.