About Hive Ransomware
Microsoft Security researchers found new versions of Hive ransomware written in the Go programming language but now in Rust. Hive surfaced in June 2021, it was found by the FBI in August. In November, Mediamarkt, a European electronics retail company was hit by Hive.
It's a RaaS (Ransomware as a service) double extortion gang that has recently been attacking vulnerable Microsoft Exchange Servers, compromised VPN credentials, phishing, and vulnerable RDP servers to install the ransomware and steal information that can be leaked.
Why the change from Go to Rust
The Rust change from Hive has been underway for quite some time, it took its lessons from BlackCat ransomware, written in Rust as well. Researchers from Group-IB in March discovered that Hive changed its Linux encryptor (for attacking VMware ESXi servers) to Rust to make it difficult for cybersecurity experts to monitor the ransom talks with targets.
The Rust rewrite is much easier, Microsoft Threat Intelligence Center in its blog said, "the upgrades in the latest variant [of Hive] are effectively an overhaul: the most notable changes include a full code migration to another programming language and the use of a more complex encryption method.
What is the impact
The implications of these updates are far-reaching, we should consider that Hive is a RaaS payload that Microsoft found in attacks against organizations in the software and healthcare industries from big ransomware actors like DEV-0237.
Microsoft has mentioned some advantages of Rust over other languages that make it one of the most preferred languages among programmers, like good crypto library support and better memory security.
Following are the benefits of Rust language, as per Microsoft:
- It offers memory, data type, and thread-safety It has deep control over low-level resources It has a user-friendly syntax
- It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption
- It has a good variety of cryptographic libraries
- It's relatively more difficult to reverse-engineer
ZDNet reports "Microsoft found that the new ransom note differs from the one used in older variants. The new note instructs victims: "Do not delete or reinstall VMs. There will be nothing to decrypt" and "Do not modify, rename or delete *.key files. Your data will be undecryptable." The *.key files are the files that Hive has encrypted."