One of the most dastardly ransomware strains has received a Rust-flavored upgrade
Hive has made the leap to Rust
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
One of the most destructiveransomware-as-a-service tools, Hive, has received a major overhaul, making it more resilient toantivirus programsand other security solutions.
These are the findings of a team of researchers at theMicrosoftThreat Intelligence Center (MSTIC), who recently did a deep dive into a new Hive variant.
“Hive ransomware is only about one year old, having been first observed in June 2021, but it has grown into one of the most prevalent ransomware payloads in the ransomware-as-a-service (RaaS) ecosystem,” Microsoft said in its report.
Far-reaching impact
The biggest change is the full code migration from Go (also known as GoLang) to Rust. The impact of these updates is “far-reaching”, Microsoft says.
Among other things, Rust offers deep control over low-level resources, has a user-friendly syntax, has several mechanisms for concurrency and parallelism, good variety of cryptographic libraries, and is relatively more difficult to reverse-engineer.
The new variant also uses stringencryption, making it somewhat harder to detect, and the underlying algorithms have changed too. The Rust version of Hive uses Elliptic Curve Diffie-Hellmann (ECDH), with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher).
Best firewall of 2022: top paid and free services>Conti ransomware group officially shuts down - but probably not for long>Ransomware is affecting more businesses than ever this year
As for file encryption, it now generates two sets of keys in memory (as opposed to embedding an encrypted key in each encrypted file), and uses both to encrypt files on the targetendpoint. It then encrypts and writes the sets to the root of the encrypted drive, both with .key extensions.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
To top it off, the operators changed the ransom message that follows up to the attack. The new version now references the .key files with their new file name convention, and warns victims not to delete or reinstallVMs, as there will be “nothing to decrypt”.
Hive isn’t the first ransomware to migrate to Rust, but it might be the first to signal a trend. Before Hive, it was BlackCat, another successful ransomware, that made the jump.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Windows PCs targeted by new malware hitting a vulnerable driver
Dangerous Android banking malware looks to trick victims with fake money transfers
Latest Google Pixel update includes surprise launch of Android 15’s best battery feature
