Hive members revamped the encryption software of their Ransomware-as-a-Service (RaaS) and underwent a complete Rust migration so they could switch to a more complex encryption method.
The malicious operation had earlier relied on GoLang, which, although powerful, was less versatile than the newly adopted Rust programming language. After its migration, Hive became the second ransomware strain written in Rust, after BlackCat.
According to Microsoft’s Threat Intelligence Center’s (MSTIC) advisory, the overhaul infused Hive with several powerful capabilities, including:
- Broader support for cryptographic libraries
- Advanced control over low-level resources
- Data type, memory and thread safety
- Can better withstand reverse-engineering attempts
- Multiple concurrency and parallelism mechanisms for convenient file encryption
- Ability to stop several security solution services and processes from hampering its operation (e.g., antivirservice, msmpsvc, windefend, mspub, avagent, winmgmt, backup and mysql)
The revamped version of Hive employs an unorthodox file encryption mechanism based on generating encryption keys in memory, using them, and writing them to the encrypted drive’s root.
“To indicate which keys set was used to encrypt a file, the name of the .key file containing the corresponding encryption keys is added to the name of the encrypted file on disk, followed by an underscore and then a Base64 string (also adding underscore and hyphen to the character set),” MSTIC says. “Once it’s Base64-decoded, the string contains two offsets, with each offset pointing to a different location in the corresponding .key file. This way, the attacker can decrypt the file using these offsets.”
This discovery comes about a week after South Korean cybersecurity agency KISA released a free decryption tool for victims of Hive ransomware. The decryption tool works for files encrypted by Hive versions v1 through v4.
Seeing as the decryptor’s release rendered these versions of the Hive RaaS almost useless, it’s likely that this event triggered the decision to migrate to Rust for high-complexity encryption.