Hive ransomware ports its encryptor to Rust programming language

The Hive ransomware gang ported its encryptor to the Rust programming language and implemented new features.

The Hive ransomware operation has developed a Rust version of their encryptor and added new features to prevent curious from snooping on the victim’s ransom negotiations.

According to BleepingComputer, which focused on Linux VMware ESXi encryptor, the Hive ransomware operators have updated their encryptor by introducing features that were implemented in the past by the BlackCat/ALPHV ransomware operation.

The BlackCat ransomware gang, unlike other ransomware operations, removed Tor negotiation URLs from their encryptor to prevent third parties from accessing the negotiation page and interfering in the communication between the victims and the gang. The URL in the BlackCat’s approach is passed as a command-line argument when the encryptor is executed.

In previous infections of Hive ransomware, victims were asked to connect to the negotiation page by using login credentials assigned to them and that were previously stored in the encryptor executable. This was to store credentials represented a weakness in the negotiation process.

The Rust version of the Hive Linux encryptor, version v5, was spotted by the Group-IB security researcher rivitna, who highlighted that is has a 0 detection rate. The researchers also noticed that Hive ransomware operation has ported builds (Windows, Linux, ESXi) to Rust using the same sources.

Thanks a lot for the article!
Lawrence focused on ESXi in the article, but this applies to all builds (Windows, Linux, ESXi). All builds are developed on the same Rust sources.

— rivitna (@rivitna2) March 28, 2022

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Hive ransomware ports its encryptor to Rust programming language appeared first on Security Affairs.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt