Chris Swagler | July 11th, 2022

Hive, one of the most destructive Ransomware-as-a-Service (RaaS) operators, is overhauling its file-encryption software to Rust and adopting a more sophisticated encryption method. This recent overhaul makes the ransomware tool more resilient to antivirus programs and other security solutions. With the variant implementing numerous major upgrades, Hive has become one of the fastest evolving ransomware families, which exemplifies the continuous change to the ransomware ecosystem. First appearing in June 2021, Hive ransomware has grown to become of the most prevalent ransomware payloads and is responsible for 17 attacks in May 2022 alone.

Hive becomes the second ransomware strain to be written in the Rust programming language shifting from GoLong, allowing the malware to gain additional benefits, including memory safety, deeper control over low-level resources, and using various cryptographic libraries. Additionally, Rust has user-friendly syntax, numerous mechanisms for concurrency and parallelism, and the ability to render the malware resistant to reverse-engineering, making it more evasive. Rust comes with features to prevent services and processes associated with security solutions that can stop it in its tracks.

Hive is like the previous ransomware families because it deletes backups to prevent recovery; however, its approach to file encryption in the new Rust-based variant has changed significantly. The new variant utilizes string encryption and underlying algorithms to make it harder to detect. Hive’s Rust version uses Elliptic Curve Diffie-Hellmann (ECDH), with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher). When it comes to file encryption, it creates two sets of keys in memory instead of embedding an encrypted key in each encrypted file and utilizes them to encrypt files on the target endpoint. The sets are then encrypted and written to the encrypted drive’s root, both with .key extensions.

An encrypted file is renamed to include the file name containing the key, which is followed by an underscore and a Base64-encoded string that points to two different locations in the corresponding .key file. This allows threat operators to determine which two keys are used to lock a particular file. Additionally, the operators modified the ransom note appearing after the attack. The latest version advises victims against deleting or reinstalling virtual machines because there will be “nothing to decode,” and refers to the .key files with their new file name conversion.

With Hive being the most recent ransomware group to migrate their file-encryption software to Rust, it’s critical that companies remain vigilant on the current threat landscape and keep numerous network data backups off-site. At SpearTip, we help companies get back up and running in record time following a breach. Our certified engineers continuously monitor companies’ networks at our 24/7/365 Security Operations Center for potential ransomware threats and are ready to respond at a moment’s notice. Our team will investigate the nature of the breach, conduct a thorough data analysis, and execute the recovery plan to return companies to their normal operations. SpearTip’s remediation experts focus on restoring companies’ operations, reclaiming networks by isolating ransomware, and recovering business-critical assets. The ShadowSpear Platform, our cutting-edge managed detected and response tool, integrates with IT and security technology partners allowing correlation of events from firewalls and network devices.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.