Executive Summary
Microsoft recently reported on a new variant of Hive ransomware written in Rust. This is a departure from previous versions, which were written in GoLang.
Key Takeaways
- Microsoft discovered a new Hive ransomware variant written in Rust.
- Previous versions of Hive were written in GoLang.
- Other updates in the Rust version include a more complex encryption method and a new ransom note.
What is Hive ransomware?
Hive ransomware, first observed in June 2021, has become one of the most prevalent malware families in the RaaS category. According to Microsoft, it is also one of the fastest evolving families. The Hive ransomware group runs an affiliate-based operation. Hive has been used to target multiple verticals including healthcare, nonprofit, retail, energy, and others. Hive’s operators sometimes use double extortion tactics, stealing and threatening to publish victim data if the ransom is not paid. The Department of Health and Human Services Cybersecurity Program released an alert earlier this year, calling the group “exceptionally aggressive”.
Microsoft found the new Hive variant while analyzing known Hive techniques for dropping .key files. They were able to use Hive’s naming pattern for this purpose. The naming convention usually used the following pattern:
[KEY_NAME].key.[VICTIM_IDENTIFIER]
(e.g., BiKtPupMjgyESaene0Ge5d0231uiKq1PFMFUEBNhAYv_.key.ab123)
Some of the .key files they observed did not use the [VICTIM_IDENTIFIER] part of the filename, leading Microsoft to discover the new variant. Microsoft discovered several samples of the new Hive variant. The new variant samples had a low detection rate, and most engines did not identify the samples as Hive.
The primary difference Microsoft noted between the old and new samples was the use of Rust programming language. The new variant is written in Rust, while previous versions were written in GoLang. This follows in the footsteps of BlackCat ransomware, the first known ransomware family written in Rust.
Microsoft explained the threat actors likely chose Rust for the new variant, based on the following factors:
- Rust offers memory, data type, and thread-safety.
- Rust has deeper control over low-level resources.
- Rust has a more user-friendly syntax.
- Rust enables fast and safe file encryption.
- Rust has a variety of cryptographic libraries.
- Rust is more difficult to reverse engineer.
Microsoft noted the new variant employs string encryption, making it more evasive. Encryption algorithms used include Elliptic Curve Diffie-Hellmann with Curve25519 and XChaCha20-Poly1305. Instead of embedding an encrypted key in each encrypted file, the new variant generates two sets of keys in memory to use for encryption then encrypts and writes the sets to the root of the drive.
The new Hive variant also handles credentials differently. In the old variants, the username and password used to access the Hive ransom payment site were embedded in the samples. In the new variant, credentials are supplied in the command line under the -u parameter. This anti-analysis measure ensures analysts cannot obtain the credentials from a sample.
The new Hive variant has additional command line parameters, allowing threat actors to choose whether to encrypt local files, to encrypt files mounted on local network shares, to discover network shares, to encrypt specific folders, and to encrypt files of a minimum size. Microsoft noted several other parameters of indeterminate use that they are still analyzing. They stated different versions seem to have different parameters, and the threat actor must be familiar with the parameters used because the strings are encrypted.
Like most ransomware, Hive stops processes and services associated with security tools. It tries to impersonate trustedinstaller.exe and winlogon.exe’s process tokens to stop Microsoft Defender Antivirus and other services. Hive also runs processes to delete backups.
Microsoft supplied a list of services and processes Hive ransomware stops:
Services
- Windefend
- Msmpsvc
- Kavsvc
- Antivirservice
- Zhudongfungyu
- Vmm
- Vmwp
- Sql
- Sap
- Oracle
- Mepocs
- Veeam
- Backup
- Vss
- Msexchange
- Mysql
- Sophos
- pdfservice
- Backupexec
- Gxblr
- Gxvss
- Gxclmgrs
- gxvcd, gxcimgr
- Gxmmm
- Gxvsshwprov
- Gxfwd
- Sap
- Qbcfmonitorservice
- Qbidpservice
- Acronisagent
- Veeam
- Mvarmor
- acrsch2svc
Processes
- Dbsnmp
- Dbeng50
- Bedbh
- Excel
- Encsvc
- Visios
- Firefox
- Isqlplussvc
- Mspub
- Mydesktopqos
- Notepad
- Ocautoupds
- Ocomm
- Ocssd
- Onenote
- Outlook
- Sqbcoreservice
- Sql
- Steam
- Tbirdconfig
- Thunderbird
- Winword
- Wordpad
- Xfssvccon
- Vxmon
- Benetns
- Bengien
- Pvlsvr
- Raw_agent_svc
- Cagservice
- Sap
- Qbidpservice
- Qbcfmonitorservice
- teamviewer_service
- teamviewer
- tv_w32
- tv_x64
- cvd
- saphostexec
- sapstartsrv
- avscc
- dellsystemdetec
- enterpriseclient
- veeam
- thebat
- cvfwd
- cvods
- vsnapvss
- msaccess
- vaultsvc
- beserver
- appinfo
- qbdmgrn
- avagent
- spooler
- powerpnt
- cvmountd
- synctime
- oracle
- wscsvc
- winmgmt
- *sql
A final difference between the old and new Hive variants is an update of the ransom note. The new note adds information instructing the victim to not delete or reinstall VMs and to not modify, rename, or delete .key files.
IOCs
PolySwarm has multiple samples of Hive ransomware’s Rust variant.
F4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3
065208b037a2691eb75a14f97bdbd9914122655d42f6249d2cca419a1e4ba6f1
33744c420884adf582c46a4b74cbd9c145f2e15a036bb1e557e89d6fd428e724
Afab34235b7f170150f180c7afb9e3b4e504a84559bbd03ab71e64e3b6541149
481dc99903aa270d286f559b17194b1a25deca8a64a5ec4f13a066637900221e
6e5d49f604730ef4c05cfe3f64a7790242e71b4ecf1dc5109d32e811acf0b053
You can use the following CLI command to search for all Hive ransomware samples in our portal:
$ polyswarm link list -f Hive
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports