The people behind the ransomware-as-a-service (RaaS) scheme known as Hive have completely rewritten the file-encrypting software they use in order to fully migrate to the Rust programming language and implement a more complex encryption strategy.
According to a report published on Tuesday by the Microsoft Threat Intelligence Center (MSTIC), "With its latest variant carrying several major upgrades, Hive also proves it's one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem." [citation needed] "With its latest variant carrying several major upgrades, Hive also proves it's one of the fastest evolving ransomware families."
Alongside Black Basta and Conti, the RaaS group known as Hive was responsible for 17 attacks during the month of May 2022 alone. Hive was discovered for the first time in June 2021 and has since become one of the most active RaaS groups.
Hive is the second strain of ransomware, after BlackCat, to be written in the programming language Rust. This change from GoLang to Rust enables the malware to gain additional benefits, such as memory safety and deeper control over low-level resources, as well as the use of a wide variety of cryptographic libraries.
Because of this, the malware can be made resistant to reverse engineering, which gives it an advantage in terms of its ability to avoid detection. In addition to this, it comes equipped with features that can halt the services and processes associated with security solutions, which may cause it to be stopped in its tracks.
Hive ransomware, like other families of ransomware, deletes backups in order to prevent victims from recovering their files. However, the method that Hive uses to encrypt files has undergone a significant transformation in the new Rust-based variant.
According to MSTIC, "instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with the.key extension." This is explained in the following way: "Rather than embedding an encrypted key in each file that it encrypts."
An encrypted file is renamed to include the file name containing the key, which is then followed by an underscore and a Base64-encoded string (for example, "C:myphoto.jpg.l0Zn68cb -B82BhIaGhI8") that points to two different locations in the corresponding.key file. This is done in order to determine which of the two keys is used for locking a specific file.
According to a report from this week by Bleeping Computer, the findings come at the same time that the threat actor responsible for the lesser-known AstraLocker ransomware has ceased operations and released a decryption tool as part of a shift to cryptojacking.
However, researchers in the field of cybersecurity have discovered a new ransomware family known as RedAlert (aka N13V) that is capable of targeting both Windows and Linux VMWare ESXi servers. This finding is an indication that the landscape of cybercrime is in a state of constant flux.
Post a Comment
Your suggestions and comments are welcome