The Hive group, which has become one of the most prolific ransomware-as-a-service (RaaS) operators, has significantly changed its malware, including migrating the code to the Rust programming language and using a more complex encryption technique.
Researchers with the Microsoft Threat Intelligence Center (MSTIC) uncovered the Hive variant while analyzing a change in the group’s methods around the encryption keys file and the naming pattern.
“With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem,” the researchers said in a write-up this week.
Hive was first detected in June 2021, with the data-encrypting software being offered to affiliates that pay to use the ransomware in their own campaigns. The incidence of ransomware continues to grow rapidly, with Panda Security saying the number jumped 62 percent in 2021 year-over-year and accounted for 10 percent of all attacks. According to third-party risk management firm UpGuard, which has seen similar numbers, a key driver has been the rise of RaaS.
Affiliates can earn as much as 80 percent of each ransom payment, according to UpGuard.
Like most of the newer ransomware groups, the Hive operators run double-extortion campaigns, encrypting and stealing the data and telling the victims their stolen data will be leaked if they refuse to pay the ransom.
According to Trend Micro, energy companies have been a top target for Hive followed by healthcare facilities, financial services institutions, and the media. Between June and December 2021, the group compromised 355 enterprises and the group has hit an average of three companies per day since first being detected, the researchers wrote in a report in March. The FBI issued an advisory about the group in August 2021.
The Hive gang garnered attention when it hit Costa Rica’s national public health services agency in May.
It also continues to evolve its operations. In October 2021, the group introduced malware tools to encrypt Linux and FreeBSD systems, and in April the group began targeting Microsoft Exchange Servers.
The recent work by MSTIC researchers uncovered the latest variant.
“This analysis led to the discovery of the new Hive variant and its multiple versions, which exhibit slightly different available parameters in the command line and the executed processes,” they wrote. “Analyzing these patterns in samples of the new variants, we discovered even more samples, all with a low detection rate and none being correctly identified as Hive.”
The updates to Hive will have far-reaching impacts given that its RaaS payload has been used in attacks against organizations in a range of industries by large ransomware affiliates like DEV-0237.
The key change in the updates is Hive’s switch from the Go – or GoLang – programming language to Rust, which offers such advantages over other languages as having memory, data type, and threat safety, deep control over low-level resources, fast and safe file encryption, and a wide variety of cryptographic libraries.
In addition, being written in Rust will make the Hive code more difficult to reverse-engineer, according to Microsoft researchers. Hive isn’t the first ransomware to be written in Rust; BlackCat took that title last month.
Detecting the new Hive variant also is harder, according to MSTIC.
“The new Hive variant uses string encryption that can make it more evasive,” the researchers wrote. “Strings reside in the .rdata section and are decrypted during runtime by XORing with constants. The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.”
Hive now also includes features to stop security services and processes, such as Microsoft Defender Antivirus, that might slow the attack chain.
The cryptography mechanism in the new variant also is significant, the researchers wrote. It uses a new set of algorithms – Elliptic Curve Diffie-Hellmann with Curve25519 and XChaCha20-Poly1305, which is authenticated encryption with ChaCha20 symmetric cipher.
Hive’s method is unique, according to MSTIC.
“Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension,” the researchers wrote.
To indicate which key was used, the name of the file containing the corresponding encryption key is added to the name of the encrypted file on disk. Once the string is Base64-decoded, it includes two offsets, with each offset pointing to a different location in the corresponding .key file.
Likewise, the new command-line parameters hinder detection by threat hunters. In previous variants, the username and password used to access the Hive ransom payment site are embedded in samples. In the latest variant, such credentials need to be supplied in the command line under a particular parameter, keeping analysts from obtaining them from the sample itself.
Command-line parameters give attackers flexibility when running the payload by adding or removing functionality. MSTIC researchers found a range of parameters across different samples in the new variant.
“Overall, it appears different versions have different parameters that are constantly updated,” they wrote. “Unlike in previous variants where there was a ‘help’ menu, in the new variant, the attacker must know the parameters beforehand. Since all strings are encrypted, it makes finding the parameters challenging for security researchers.”
The ransom note delivered with Hive also has changed, with the latest version referring to the .keys files with the new file name convention and a new sentence about virtual machines. ®