Hive Ransomware Switches to Rust to Increase Encryption Complexity
Hive members revamped the encryption software of their Ransomware-as-a-Service (RaaS) and underwent a complete Rust migration so they could switch to a more complex encryption method.
The malicious operation had earlier relied on GoLang, which, although powerful, was less versatile than the newly adopted Rust programming language. After its migration, Hive became the second ransomware strain written in Rust, after BlackCat.
According to Microsoft’s Threat Intelligence Center’s (MSTIC) advisory, the overhaul infused Hive with several powerful capabilities, including:
- Broader support for cryptographic libraries
- Advanced control over low-level resources
- Data type, memory and thread safety
- Can better withstand reverse-engineering attempts
- Multiple concurrency and parallelism mechanisms for convenient file encryption
- Ability to stop several security solution services and processes from hampering its operation (e.g., antivirservice, msmpsvc, windefend, mspub, avagent, winmgmt, backup and mysql)
The revamped version of Hive employs an unorthodox file encryption mechanism based on generating encryption keys in memory, using them, and writing them to the encrypted drive’s root.
“To indicate which keys set was used to encrypt a file, the name of the .key file containing the corresponding encryption keys is added to the name of the encrypted file on disk, followed by an underscore and then a Base64 string (also adding underscore and hyphen to the character set),” MSTIC says. “Once it’s Base64-decoded, the string contains two offsets, with each offset pointing to a different location in the corresponding .key file. This way, the attacker can decrypt the file using these offsets.”
This discovery comes about a week after South Korean cybersecurity agency KISA released a free decryption tool for victims of Hive ransomware. The decryption tool works for files encrypted by Hive versions v1 through v4.
Seeing as the decryptor’s release rendered these versions of the Hive RaaS almost useless, it’s likely that this event triggered the decision to migrate to Rust for high-complexity encryption.
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor
August 30, 2022
What is medical identity theft and how to protect against it
July 27, 2022