Researchers have detailed what they call an “overhaul” upgrade to the Hive ransomware. The ransomware’s latest variant includes a full code migration to the Rust programming language and a more complex encryption method.
Since its discovery in June 2021, Hive has quickly expanded its reach with the establishment of a ransomware-as-a-service (RaaS) ecosystem. More recently, an NCC Group Threat Pulse report found that the number of victims targeted by Hive increased by 188 percent in March over February. The latest variant, first uploaded to VirusTotal on Feb. 21, shows how Hive continues to be one of the fastest evolving ransomware families, said researchers with Microsoft.
“The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237,” according to a Tuesday analysis from the Microsoft Threat Intelligence Center.
Hive's switch from the Go programming language to Rust echoes a move that has also been adopted by several other ransomware groups, including BlackCat. The adoption of Rust gives ransomware actors various advantages, as it is relatively more difficult to reverse-engineer and offers memory, data type and thread safety.
Another significant change to the new variant is that it generates two sets of keys in memory and uses them to encrypt the files, and writes the sets to the root of the drive it encrypts using the .key extension. Previously, Hive would embed an encrypted key in each file.
“To indicate which keys set was used to encrypt a file, the name of the .key file containing the corresponding encryption keys is added to the name of the encrypted file on disk, followed by an underscore and then a Base64 string (also adding underscore and hyphen to the character set),” according to Microsoft. “Once it’s Base64-decoded, the string contains two offsets, with each offset pointing to a different location in the corresponding .key file. This way, the attacker can decrypt the file using these offsets.”
Before encrypting each file, the ransomware checks the name and extension against a list of strings; and if there is a match, the file would not be encrypted. The latest variant also uses string encryption that can make it harder to detect, with strings existing in the .rdata section and being decrypted during runtime by XORing with constants.
“The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection,” said researchers.
Hive has incorporated several other features to sidestep analysis and detection. While the older variant embedded the username and password used to access the ransom payment website in the samples, these credentials must be supplied in the command line under the “-u” parameter in the new variant, so analysts can’t obtain them from the samples themselves. Attackers also appear to be constantly updating the different parameters used for giving actors flexibility in adding or removing functionality when running the payload. This constant level of updating, coupled with all the strings being encrypted, makes it challenging for security researchers to find the parameters.
Organizations can take a number of measures to combat Hive and other ransomware families, including building credential hygiene, prioritizing the deployment of Active Directory updates, enforcing multi-factor authentication on all accounts, and disabling legacy authentication, according to Microsoft researchers.