Hive ransomware operators have shifted their VMware ESXi Linux encryptor to the Rust language. Additionally, new features have been added to prevent researchers from peeking into the ransom negotiations with victims.
The updated and ported version
According to a researcher (Rivitna), who discovered the recent Linux-based sample, the ransomware operators have now updated their encryptor with new features
Hive now requires the attacker to provide a username/login password as a command-line argument during the launch of malware. This technique was earlier used by the BlackCat ransomware group.
The malware already requires a login ID and password to access the Tor negotiation pages. However, these credentials could be easily retrieved by security researchers, as these were previously stored in the encryptor executable.
By copying this tactic, now it has become almost impossible to obtain the Tor negotiation login credentials from Linux malware samples.
This allows the threat actors to keep the ransom negotiations private, preventing security researchers from snooping, just like BlackCat operators do.
Hive copies BlackCat
To avoid ransomware negotiations in public and other people coming to know about several details, the BlackCat ransomware had removed Tor negotiation URLs from their encryptor to avoid such snooping. Now, Hive has adopted the technique.
Researchers were able to reveal this update for the Linux variant of Hive but they could not confirm the same for the Windows variant. But, it could be around.
Rust and BlackCat
The reason for Hive to copy BlackCat’s tactics and port the Linux encryptor from Golang to Rust language is to make the ransomware samples more efficient and challenging to reverse engineer.
Ransomware groups are now evolving their malware by writing optimized code to make their ransom encrypter more efficient. Organizations are advised to focus on protecting sensitive data with robust encryption and access control.