Hive members revamped the encryption software of their Ransomware-as-a-Service (RaaS) and underwent a complete Rust migration so they could switch to a more complex encryption method.
The malicious operation had earlier relied on GoLang, which, although powerful, was less versatile than the newly adopted Rust programming language. After its migration, Hive became the second ransomware strain written in Rust, after BlackCat.
According to Microsoft’s Threat Intelligence Center’s (MSTIC) advisory, the overhaul infused Hive with several powerful capabilities, including:
The revamped version of Hive employs an unorthodox file encryption mechanism based on generating encryption keys in memory, using them, and writing them to the encrypted drive’s root.
“To indicate which keys set was used to encrypt a file, the name of the .key file containing the corresponding encryption keys is added to the name of the encrypted file on disk, followed by an underscore and then a Base64 string (also adding underscore and hyphen to the character set),” MSTIC says. “Once it’s Base64-decoded, the string contains two offsets, with each offset pointing to a different location in the corresponding .key file. This way, the attacker can decrypt the file using these offsets.”
This discovery comes about a week after South Korean cybersecurity agency KISA released a free decryption tool for victims of Hive ransomware. The decryption tool works for files encrypted by Hive versions v1 through v4.
Seeing as the decryptor’s release rendered these versions of the Hive RaaS almost useless, it’s likely that this event triggered the decision to migrate to Rust for high-complexity encryption.
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsNovember 14, 2024
September 06, 2024