One of the most dastardly ransomware strains has received a Rust-flavored upgrade

(Image credit: Shutterstock)

One of the most destructive ransomware-as-a-service tools, Hive, has received a major overhaul, making it more resilient to antivirus programs and other security solutions.

These are the findings of a team of researchers at the Microsoft Threat Intelligence Center (MSTIC), who recently did a deep dive into a new Hive variant.

“Hive ransomware is only about one year old, having been first observed in June 2021, but it has grown into one of the most prevalent ransomware payloads in the ransomware-as-a-service (RaaS) ecosystem,” Microsoft said in its report.

Far-reaching impact

The biggest change is the full code migration from Go (also known as GoLang) to Rust. The impact of these updates is “far-reaching”, Microsoft says.

Among other things, Rust offers deep control over low-level resources, has a user-friendly syntax, has several mechanisms for concurrency and parallelism, good variety of cryptographic libraries, and is relatively more difficult to reverse-engineer. 

The new variant also uses string encryption, making it somewhat harder to detect, and the underlying algorithms have changed too. The Rust version of Hive uses Elliptic Curve Diffie-Hellmann (ECDH), with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher).

As for file encryption, it now generates two sets of keys in memory (as opposed to embedding an encrypted key in each encrypted file), and uses both to encrypt files on the target endpoint. It then encrypts and writes the sets to the root of the encrypted drive, both with .key extensions.

To top it off, the operators changed the ransom message that follows up to the attack. The new version now references the .key files with their new file name convention, and warns victims not to delete or reinstall VMs, as there will be “nothing to decrypt”.

Hive isn’t the first ransomware to migrate to Rust, but it might be the first to signal a trend. Before Hive, it was BlackCat, another successful ransomware, that made the jump.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.