One of the most destructive ransomware tools (opens in a new tab) as a service, Hive underwent a major overhaul, making it more resistant to antivirus programs (opens in a new tab) and other security solutions.
These are the conclusions of a team of researchers at the Microsoft Threat Intelligence Center (MSTIC), who recently conducted an in-depth analysis of a new variant of Hive.
“Hive ransomware is only about a year old, having been first observed in June 2021, but it has become one of the most prevalent ransomware payloads in the ransomware-as-a-service (RaaS) ecosystem,” Microsoft said. in your report. .
long range impact
The biggest change is the entire code migration from Go (also known as GoLang) to Rust. The impact of these updates is "far-reaching," according to Microsoft.
Among other things, Rust offers deep control over low-level resources, has an easy-to-use syntax, various concurrency and parallelism mechanisms, a good variety of cryptographic libraries, and is relatively more difficult to reverse engineer.
The new variant also uses string encryption, which makes it a bit harder to detect, and the underlying algorithms have also changed. The Rust version of Hive uses Elliptic Curve Diffie-Hellmann (ECDH), with Curve25519 and XChaCha20-Poly1305 (authenticated cipher with ChaCha20 symmetric cipher).
For file encryption, it now generates two sets of keys in memory (instead of embedding an encrypted key in each encrypted file) and uses both to encrypt files on the destination endpoint (opens in a new tab). It encrypts and then writes the sets to the root of the encrypted drive, both with .key extensions.
To top it off, the operators changed the ransom message that follows the attack. The new version now references the .key files with its new file naming convention and warns victims not to remove or reinstall the virtual machines as there will be "nothing to decrypt".
Hive isn't the first ransomware to migrate to Rust, but it might be the first to signal a trend. Before Hive, it was BlackCat, another successful ransomware, that made the leap.