Hive ransomware gets upgrades to more advanced encryption method

After a year since the discovery Hive ransomware virus latest versions carry major upgrades

Hive ransomware becomes more dangerousNew upgrades make the ransomware persistent to reverse engineering and using more advanced encryption

One of the most prevalent ransomware viruses out there received upgrades to the latest variants that change the encryption and other features. Developers of the virus overhauled their file-encrypting software and migrated fully to Rust. The ransomware-as-a-service upgrades the full code migration to another programming language, so the infection uses a more complex encryption method.[1]

Hive ransomware is one of the fastest evolving threat families, and these additions prove that. It is the continuously changing ransomware ecosystem, as the threat research team from Microsoft reports.[2] This virus was first observed in June 2021 and has emerged as one of the most dangerous RaaS groups since then. The threat had at least 17 victims in the month of May this year. It is compared to major strains like Black Basta and Conti.[3]

These Hive ransomware attacks are focused on organizations, so these infection campaigns need to be targeted. Various samples show that attacks carried out by the affiliate involve the exploitation of ProxyShell flaws in the Microsoft Exchange Server too.[4] Actors manage to achieve their goals in less than a few days to encrypt company environments.

Shift to a different and not common programming language

The change from GoLang to Rust makes this ransomware second threat family after the BlackCat[5] that is written in this programming language. Malware gains additional benefits from this because memory safety gets improved and deeper control over low-level resources helps to evolve the infection. New malware versions now use a wide range of cryptographic libraries.

Ransomware now can be resistant to reverse engineering, so the threat is more evasive and cannot be easily detected by threat fighting tools or researchers, so campaigns are more widespread and can be more successful. Ransomware gets some additional features that help stop services and processes related to security solutions that stop these attacks.

Changes to the variants that are Rust-based now mean that ransomware not only deletes backups to prevent easy file recovery, but the threat also goes for the file encryption differently:

Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension

What can be done to mitigate attacks?

This ransomware-as-a-service is only one of the most dangerous ones. There are other groups affecting organizations and users across the world. These people are financially motivated, so ransom demands grow out of control with double and triple extortion methods that many of them adopt. However, malware like this needs to evolve since there are various mitigation methods that allow researchers to keep networks secure and not vulnerable to ransomware.

There are things that researchers recommend customers to do. Avoiding these newer Hive ransomware variants can be possible with the use of included IOCs to investigate whether they exist in the particular environment and assess for potential intrusion. People are recommended to:

  • build credential hygiene
  • audit credential exposure
  • prioritize the deployment of Active Directory updates
  • harden the cloud backup
  • enforce MFA on various accounts and strictly require MFA from all devices
  • enable passwordless authentication methods.
About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions