- The group behind Hive ransomware completed a full code migration and overhaul to use a more complex encryption method for its ransomware as a service payload, researchers from Microsoft Threat Intelligence Center found.
- Microsoft describes Hive, which was first observed in June 2021, as one of the most prevalent ransomware payloads and one of the fastest evolving ransomware families.
- By migrating code from Go to Rust, Hive can string encryption that boosts its ability to evade discovery, deepen control over the code and heighten protection against reverse engineering.
The original Hive payload was previously used by large ransomware affiliates to attack organizations in healthcare and software. The Department of Health and Human Services in April warned healthcare organizations of the ransomware group and described it as “exceptionally aggressive.”
The new variant, which Microsoft discovered in multiple samples, has a low-detection rate and is more difficult for enterprises to accurately identify.
“This migration is a sign that the gang is maturing, requiring more technical expertise and new skills to create ever more sophisticated ransomware,” said Michela Menting, research director at ABI Research.
A complete overhaul, including the use of a new programming language, takes time and resources. This suggests the group behind Hive has a long-term plan that bodes ill for organizations.
“It is highly likely that the gang is seeking to entrench itself into the ransomware market and ensure longevity,” Menting said.
Rust provides Hive and other ransomware payloads with deep control over low-level resources. The latest Hive variant also introduces a new cryptography mechanism, according to Microsoft.
“Instead of embedding an encrypted key in each file it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension,” the company wrote on its blog.
Rust is especially effective at processing large amounts of data, a key advantage for ransomware gangs that aim to encrypt as much data as they can in the shortest time possible, Menting said.
The programming language is also more difficult to master, making it harder for security companies and competing ransomware groups to reverse engineer the code.