Microsoft cyber security researchers discovered new variants of Hive ransomware written in Rust programming language instead of Go. Hive ransomware is a strain that was used by novice cybercriminals to launch ransomware attacks on healthcare, energy providers, and charities.
Hive ransomware was first discovered in June 2021 and used to be written in the Go programming language, a statically typed compiled open-source programming language. Reportedly, the ransomware is discovered to be written in Rust language which is a multi-paradigm, general-purpose programming language. Rust provides the threat actors to build complex ransomware software with millions of lines of code. It can also be used on embedded devices. Rust programming language offers ransomware to hide its identity efficiently under the mask of appearing as legitimate software.
The FBI alerted traces of Hive ransomware in August 2021. The ransomware claimed its first victim in November 2021, when European electronic retail giant MediaMarkt was compromised by Hive.
Microsoft Exchange Servers have suffered a ransomware-as-a-service (RaaS) double-extortion attack on compromised VPN credentials, phishing, and RDO servers.
Ransomware as a service (RaaS) performs extortion over stolen or encrypted data and can be used as pay-for-use malware. According to the reports Hive has adopted Rust language from BlackCat ransomware. Microsoft stated that Hive has been using Rust in a more comprehensive way and has a more advanced encryption method.
Microsoft Threat Intelligence Center (MSTIC) said, “The upgrades in the latest variant (of Hive) are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of more complex encryption method.”
Microsoft also stated that the Rust programming language offers more thread safety, user-friendly syntax, deep control over low-level resources, and can enable safe encryption files. According to Microsoft with the help of Rust language Hive ransomware can create notes to instruct victims. The MSTIC has also included the material of the instructive notes saying, “Do not delete or reinstall VMs. There will be nothing to decrypt. Do not modify, rename or delete key files. Your data will be undecryptable.” The ransomware group directly communicates with the victim to not remove key files which are the compromised files by Hive.
Reportedly, Hive has adopted a unique way of file encryption that provides maximum authority to the ransomware groups. Microsoft further stated, “instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts both with .key extension.”
