The operators of the Hive ransomware upgraded their malware by migrating the malware to the Rust language and implementing a more sophisticated encryption method, Microsoft researchers warn.
“The upgrades in the latest variant are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method.” reads the post published by Microsoft. “The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237.”
These upgrades prove that Hive is one of the fastest evolving ransomware families in the cybercrime ecosystem.
The Hive ransomware operation has been active since June 2021, it provides Ransomware-as-a-Service Hive and adopts a double-extortion model threatening to publish data stolen from the victims on their leak site (HiveLeaks). In April 2021, the Federal Bureau of Investigation (FBI) has released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang. According to a report published by blockchain analytics company Chainalysis, the Hive ransomware is one of the top 10 ransomware strains by revenue in 2021. The group used a variety of attack methods, including malspam campaigns, vulnerable RDP servers, and compromised VPN credentials.
The Microsoft Threat Intelligence Center (MSTIC) researchers discovered the new variant, while analyzing a new technique used by the ransomware for dropping .key files.
The main difference between the new variant of the Hive ransomware and old ones is the programming language used by the operators. The old variants were written in Go language, while the new Hive variant is written in Rust.
Other ransomware families have migrated their code to Rust such as the BlackCat one which was the first. The porting to Rust language provides the following advantages:
The most important change in the latest Hive variant is the encryption mechanism it adopts. The new variant was first uploaded to VirusTotal on February 21, 2022, just a few days after a group of researchers from Kookmin University in South Korea shared details about research on how to decrypt data from systems infected with the Hive ransomware.
“The new variant uses a different set of algorithms: Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher).” continues Microsoft.
The new variant generates two sets of keys in memory, uses them to encrypt the files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension. The old variants, instead, were embedding an encrypted key in each file that they encrypt.
The analysis of the latest variant revealed the uses of string encryption that can make it more evasive. In the old Hive variants, the credentials to access the Hive ransom payment website were embedded in the samples, in the new variant, they must be supplied in the command line under the “-u” parameter. This change implied that it is impossible to obtain them by analyzing the sample.
Microsoft researchers shared indicators of compromise (IoC) for the new variant and recommend organizations to use them to investigate whether they exist in their environment and assess for potential intrusion.
(SecurityAffairs – hacking, Hive ransomware)