"Evasive Rust-Coded Hive Ransomware Variant Emerges"

Security researchers at Microsoft Threat Intelligence Center (MSTIC) discovered a new variant of the Hive ransomware written using the Rust programming language and that it is more evasive and provides attackers with flexibility.  Hive is a ransomware-as-a-service (RaaS) and was first observed in June 2021.  Hive was originally coded using the Go programming language.  When the gang changed the programming language to Rust, they also added several upgrades to the ransomware.  The researchers noted that the Rust-coded Hive variant uses a string encryption where constants used for decryption sometimes differ across samples, preventing detection, and supports command-line parameters, which increases flexibility by allowing the attackers to easily add or remove functionality.  The researchers stated that while the older Hive samples had the credentials for accessing the ransom payment website embedded, the new variant requires for the username and password to be supplied in the command line.  The new variant also lacks a "help" menu, requiring the attacker to know the supported parameters.  The researchers noted that the main change in the new ransomware variant, aside from the switch to Rust, is the use of a new cryptographic mechanism, which relies on "Elliptic Curve Diffie-Hellman (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher)."  The researchers noted that the new Hive variant uses a unique approach to file encryption.  Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension.  The Hive ransomware targets specific processes for termination, specifically those associated with security tools and other solutions that might hinder its operation, including Microsoft Defender.  It also deletes backups to prevent victims from recovering their data without paying a ransom.  The researchers stated that to mitigate the risks associated with Hive and other ransomware, organizations and users should adopt good credential hygiene, keep applications updated, use multi-factor authentication, enable passwordless authentication for all supporting accounts, and disable legacy authentication.

SecurityWeek reports: "Evasive Rust-Coded Hive Ransomware Variant Emerges"