Microsoft recently reported on a new variant of Hive ransomware written in Rust. This is a departure from previous versions, which were written in GoLang.
- Microsoft discovered a new Hive ransomware variant written in Rust.
- Previous versions of Hive were written in GoLang.
- Other updates in the Rust version include a more complex encryption method and a new ransom note.
What is Hive ransomware?
Hive ransomware, first observed in June 2021, has become one of the most prevalent malware families in the RaaS category. According to Microsoft, it is also one of the fastest evolving families. The Hive ransomware group runs an affiliate-based operation. Hive has been used to target multiple verticals including healthcare, nonprofit, retail, energy, and others. Hive’s operators sometimes use double extortion tactics, stealing and threatening to publish victim data if the ransom is not paid. The Department of Health and Human Services Cybersecurity Program released an alert earlier this year, calling the group “exceptionally aggressive”.
Microsoft found the new Hive variant while analyzing known Hive techniques for dropping .key files. They were able to use Hive’s naming pattern for this purpose. The naming convention usually used the following pattern:
Some of the .key files they observed did not use the [VICTIM_IDENTIFIER] part of the filename, leading Microsoft to discover the new variant. Microsoft discovered several samples of the new Hive variant. The new variant samples had a low detection rate, and most engines did not identify the samples as Hive.
The primary difference Microsoft noted between the old and new samples was the use of Rust programming language. The new variant is written in Rust, while previous versions were written in GoLang. This follows in the footsteps of BlackCat ransomware, the first known ransomware family written in Rust.
Microsoft explained the threat actors likely chose Rust for the new variant, based on the following factors:
- Rust offers memory, data type, and thread-safety.
- Rust has deeper control over low-level resources.
- Rust has a more user-friendly syntax.
- Rust enables fast and safe file encryption.
- Rust has a variety of cryptographic libraries.
- Rust is more difficult to reverse engineer.
The new Hive variant also handles credentials differently. In the old variants, the username and password used to access the Hive ransom payment site were embedded in the samples. In the new variant, credentials are supplied in the command line under the -u parameter. This anti-analysis measure ensures analysts cannot obtain the credentials from a sample.
The new Hive variant has additional command line parameters, allowing threat actors to choose whether to encrypt local files, to encrypt files mounted on local network shares, to discover network shares, to encrypt specific folders, and to encrypt files of a minimum size. Microsoft noted several other parameters of indeterminate use that they are still analyzing. They stated different versions seem to have different parameters, and the threat actor must be familiar with the parameters used because the strings are encrypted.
Like most ransomware, Hive stops processes and services associated with security tools. It tries to impersonate trustedinstaller.exe and winlogon.exe’s process tokens to stop Microsoft Defender Antivirus and other services. Hive also runs processes to delete backups.
Microsoft supplied a list of services and processes Hive ransomware stops:
- gxvcd, gxcimgr
A final difference between the old and new Hive variants is an update of the ransom note. The new note adds information instructing the victim to not delete or reinstall VMs and to not modify, rename, or delete .key files.
PolySwarm has multiple samples of Hive ransomware’s Rust variant.
You can use the following CLI command to search for all Hive ransomware samples in our portal:
$ polyswarm link list -f Hive
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at email@example.com | Check out our blog | Subscribe to our reports