Hive Ransomware Upgrades to Rust for More Advanced Encryption Method


The operators of the Hive ransomware-as-a-service (RaaS) scheme have revised their file encryption software to migrate completely to Rust and use a more advanced encryption method.

“With the latest variant with several significant upgrades, Hive is also proving that it is one of the fastest evolving ransomware families, exemplifying the ever-changing ransomware ecosystem,” Microsoft Threat Intelligence Center (MSTIC) said Tuesday in a report.

First sighted in June 2021, Hive has emerged as one of the most prolific RaaS groups, accountancy in the month of May 2022 alone for 17 attacks, in addition to Black Basta and Conti.

The move from GoLang to Rust makes Hive the second ransomware strain after BlackCat to be written in the programming language, allowing the malware to gain additional benefits such as memory security and deeper control over low-level resources, as well as leverage a wide range of cryptographic libraries.

What it also offers is the ability to make the malware resistant to reverse engineering, making it evasive. In addition, it comes with features to terminate services and processes associated with security solutions that can keep it in its way.

Hive is no different from other ransomware families in that it deletes backups to prevent recovery, but what has changed significantly in the new Rust-based variant is its approach to file encryption.

“Instead of embedding an encrypted key in every file it encrypts, it generates two sets of keys in memory, uses them to encrypt files and encrypts, and then writes the sets to the root of the disk it encrypts, both with a .key extension,” explains MSTIC.

To determine which of the two keys is used to lock a specific file, an encrypted file is renamed to contain the filename containing the key, followed by an underscore and a Base64 encoded string (e.g. “C:\ myfoto.jpg .l0Zn68cb _ -B82BhIaGhI8”) pointing to two different locations in the associated .key file.

The findings come as the threat actor behind the lesser-known AstraLocker ransomware stopped working and released decryption tool as part of shift to crytojacking, Bleeping Computer reported this week.

But to point out that the cybercriminal landscape is constantly evolving, cybersecurity researchers have: discovers a new ransomware family called RedAlert (aka N13V) which can target both Windows and Linux VMWare ESXi servers.