Chris Swagler | March 31st, 2022

The Hive ransomware group converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it more difficult for security researchers to eavesdrop on victims’ ransom negotiations. With businesses becoming more reliant on virtual machines to conserve computer resources, consolidate servers, and make backup easier, ransomware groups are developing dedicated encryptors that focus on these services. Because VMware ESXI virtualizations platforms are the most widely utilized in enterprise organizations, Linux encryptors deployed by ransomware groups usually target them. Hive has been targeting VMware ESXi servers with a Linux encryptor; however, a new sample demonstrates that they modified their encryptor with features initially revealed by the BlackCat/ALPHV ransomware group.

When ransomware groups attack, they try to conduct private negotiations warning victims that if a ransom is not paid their data will be released publicly and they will suffer a reputational hit. When ransomware samples are uploaded to public malware analysis services, security researchers can extract ransom notes and eavesdrop on negotiations. The negotiations are often made public online, causing negotiations to fail. To prevent this from happening, the BlackCat ransomware group removed Tor negotiation URLs from their encryptor.

When the encryptor is executed, it requires the URL to be passed as a command-line argument. Because the URL is not included in the executable and is only passed to it at run time, this feature prevents researchers who find the sample from retrieving it. While Hive ransomware already requires a username and password to access a victim’s Tor negotiation page, the credentials were previously kept in the encryptor executable, making them easy to recover.

According to a new Hive Linux encryptor found by a security researcher, the Hive ransomware group now requires the threat operators to supply the username and login password as a command-line argument when executing the malware. Hive ransomware has made it difficult to recover negotiation login credentials from Linux malware samples by copying BlackCat’s tactics, with the credentials now only available in ransom notes created during the attack. It’s unclear whether Hive Windows encryptors are currently using the new command-line argument; however, if not it most likely will be added soon. Hive continues to copy BlackCat by switching its Linux encryptor from Golang to the Rust programming language to make the ransomware samples more efficient and difficult to reverse engineer. Rust allows for safer, faster, and more efficient code, which can complicate Rust program analysis.

With the encryption of VMware ESXi virtual machines being an important part of a successful attack, ransomware groups are continually improving their code to be more efficient and keep the operations and negotiations hidden. With more businesses using virtualization for their servers, ransomware developers will continue to focus on Windows devices and create dedicated Linux encryptors targeting ESXi. All security professionals and network admins need to monitor their Linux servers for any signs of attacks.

Additionally, companies in any industry must remain vigilant of the current threat landscape and update the security software on their VMware ESXi virtualization platforms and Windows devices. At SpearTip, our 24/7/365 certified engineers continuously monitor networks including those on Windows devices and VMware ESXi virtualization platforms at our Security Operations Center for ransomware threats like Hive and BlackCat. Being proactive with incident response planning is the way for companies to remain ahead of the current threats. ShadowSpear, our endpoint detection and response platform, is an excellent proactive tool that integrates with cloud, network, and endpoint devices to identify threats, neutralize ransomware coded in any language, and counter adversaries.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.