The Hive group, which has become one of the most prolific ransomware-as-a-service (RaaS) operators, has significantly overhauled its malware, including migrating the code to the Rust programming language and using a more complex file encryption process.
Researchers at the Microsoft Threat Intelligence Center (MSTIC) uncovered the Hive variant while analyzing a change in the group’s methods.
“With its latest variant carrying several major upgrades, Hive also proves it’s one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem,” the researchers said in a write-up this week.
Hive was first detected in June 2021, with the data-encrypting software being offered to affiliates that pay to use the ransomware in their own campaigns. The number of ransomware infections continues to grow, with Panda Security seeing a 62 percent year-over-year jump in extortionware use in 2021, which accounted for 10 percent of all cyber-attacks. According to third-party risk management firm UpGuard, which has seen similar numbers, a key driver has been the rise of RaaS.
Affiliates can earn as much as 80 percent of each ransom payment, according to UpGuard.
Like most of the newer ransomware groups, the Hive operators run double-extortion campaigns: siphoning data, encrypting the files, and telling the victims their stolen information will be leaked if they refuse to pay the ransom.
According to Trend Micro, energy companies have been a top target for Hive followed by healthcare facilities, financial services institutions, and the media. Between June and December 2021, the gang compromised 355 enterprises and the group has hit an average of three companies per day since first being detected, the researchers wrote in a report in March. The FBI issued an advisory about the group in August 2021.
The Hive gang garnered attention when it hit Costa Rica’s national public health services agency in May.
It also continues to evolve its operations. In October 2021, the group rolled out malware to encrypt Linux and FreeBSD systems, and in April the group began targeting Microsoft Exchange Servers.
The recent work by MSTIC researchers uncovered the latest variant.
“This analysis led to the discovery of the new Hive variant and its multiple versions, which exhibit slightly different available parameters in the command line and the executed processes,” they wrote. “Analyzing these patterns in samples of the new variants, we discovered even more samples, all with a low detection rate and none being correctly identified as Hive.”
The updates to Hive will have far-reaching impacts given that its RaaS payload has been used in attacks against organizations in a range of industries by large ransomware affiliates, such as DEV-0237.
The key change in the updates is Hive’s switch from the Go programming language to Rust, which offers memory safety at compile time for greater stability, deep control over low-level resources, and a variety of cryptographic libraries for fast file scrambling.
In addition, being written in Rust will make the Hive code a little more difficult to reverse-engineer, according to Microsoft researchers. Hive isn’t the first ransomware to be written in Rust; BlackCat is another example.
Detecting the Hive variant also is harder, according to MSTIC.
“The new Hive variant uses string encryption that can make it more evasive,” the researchers wrote, referring to the malware’s executable. “Strings reside in the .rdata section and are decrypted during runtime by XORing with constants. The constants that are used to decrypt the same string sometimes differ across samples, making them an unreliable basis for detection.”
Hive now also includes features to stop security services and processes, such as Microsoft Defender Antivirus, that might otherwise slow the attack chain.
The data encryption mechanism in the variant also is significant, the researchers wrote. It uses a fresh set of algorithms: Elliptic Curve Diffie-Hellman with Curve25519 and XChaCha20-Poly1305, which provides authenticated encryption with a ChaCha20 symmetric cipher.
Hive’s method is unique, according to MSTIC.
“Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension,” the researchers wrote. To indicate which key was used, the name of the file containing the corresponding encryption key is added to the name of the encrypted file on disk.
Likewise, the variant’s command-line interface hinders analysis by threat hunters, to a degree. In previous strains, the username and password used to access the Hive ransom payment site were embedded in the executable. In the latest variant, such credentials need to be supplied in the command line via a particular parameter, keeping analysts from obtaining them from samples of the code.
That is to say, the username and password are specified by the miscreants when they run Hive on a victim’s machine. These details are then included in the generated ransom note. If an analyst gets a sample executable by itself, they won’t know how to access the ransom site and nose around it.
Command-line parameters give attackers flexibility when running the payload by adding or removing functionality. MSTIC researchers found a range of supported parameters across different samples in the latest variant.
“Overall, it appears different versions have different parameters that are constantly updated,” they wrote. “Unlike in previous variants where there was a ‘help’ menu, in the new variant, the attacker must know the parameters beforehand. Since all strings are encrypted, it makes finding the parameters challenging for security researchers.”
The ransom note delivered with Hive also has changed, with the latest version referring to the .keys files with the new file name convention and a new mention of virtual machines. ®