Hive Ransomware Upgraded to Rust to Deliver More Sophisticated Encryption

Researchers from Microsoft Security have spotted an upgraded version of the ransomware-as-a-service (RaaS) dubbed Hive.

The security experts outlined their findings in an advisory on Tuesday.

“With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem,” reads the post.

According to Microsoft, the upgrades in the latest variant represent an overhaul of the entire ransomware infrastructure.

“The most notable changes include a full code migration to another programming language [from GoLang to Rust] and the use of a more complex encryption method,” the advisory explains.

Microsoft also noticed that Hive is not the first ransomware written in Rust, and follows in the footsteps of BlackCat.

“By switching the underlying code to Rust, Hive benefits from [various] advantages that Rust has over other programming languages.”

These include memory, data type and thread safety, deep control over low-level resources, the ability to render the malware resistant to reverse engineering and a good variety of cryptographic libraries, among other things.

“The new Hive variant uses string encryption that can make it more evasive,” reads Microsoft’s advisory.”

“The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.”

The impact of these updates would also be far-reaching since Hive’s RaaS payload has been spotted by Microsoft in organizations in the healthcare and software industries and connected with large ransomware affiliates like DEV-0237.

The tech giant’s security team also said that many of the variants and samples it analyzed have low detection rates, and none are correctly identified as Hive (despite the malware being first spotted last year) by some antivirus software programs.

Microsoft Defender Antivirus provides detection for this threat, however, with build version 1.367.405.0 or later.

The news comes days after Microsoft’s Security Intelligence team issued a new warning against a known cloud threat actor (TA) group known as 8220.

What’s Hot on Infosecurity Magazine?