Hive ransomware has got a new makeover. The main difference lies in the programming language used. While the old variants are written in Go, the new variant is written in Rust.

Key findings

  • According to researchers from Microsoft Threat Intelligence Center (MSTIC), the most notable update in the latest variant is the use of a more complex encryption method.
  • The malware variant uses ‘string’ encryption that can make it more stealthy. Strings reside in the .rdata section and are decrypted during runtime by XORing with constants.
  • Another key aspect of the new Hive variant includes the unique approach of using Elliptic Curve Diffie-Hellman with Curve25519 and XChaCha20-Poly1305 algorithms to encrypt files.
  • There is also a change in the ransom note, with the new version referring to the .key files with their new file name convention and adding a sentence about virtual machines. 

Advantages of switching to Rust

Hive ransomware isn’t the first ransomware written in Rust. BlackCat is another prevalent ransomware to be written in Rust. Switching to this language offers threat actors a variety of advantages:
  • Memory, data type, and thread safety
  • Several mechanisms for concurrency and parallelism, thus, enabling fast and safe file encryption
  • Good cryptographic libraries
  • Difficult to reverse engineer

Rising attack trend of Hive ransomware 

  • In a new report, Kaspersky’s threat intelligence revealed that the ransomware group has been active in the U.S., Great Britain, and Germany. 
  • The group, along with other ransomware groups, has targeted over 500 organizations in industries such as manufacturing, software development, and small businesses, between March 2021 and March 2022. 
  • The observed attacks followed a pattern that include compromising the corporate network or victims’ computers, delivering malware, deleting shadow copies, removing backups, and achieving their objectives.

Recommended actions

The techniques used by the new Hive variant can be mitigated by adopting security considerations. Organizations are recommended to include the IoCs to investigate the existence of such threats in environments and assess for potential intrusion. 

Cyware Publisher

Publisher

Cyware