The Hive ransomware group has altered its programming language upon researchers noticing how they used Golang for their old ransomware variants and then shifted to the Rust model for their latest variants.
Researchers said the most significant update of the threat group is using a more complex encryption method. The malware variant utilises string encryption that can make the payload more elusive.
Additionally, the strings stay in the [.]rdata section and are decrypted during the operation of XORing with constants. Another notable aspect of the new Hive ransomware strain includes utilising an Elliptic Curve Diffie-Hellman with XChaCha20-Poly1305 and Curve25519 algorithms to encrypt files.
Furthermore, there is also a change in the ransom note deployed by the Hive operators since the new version refers to the [.]key files. These files also have a new file name convention and include a sentence regarding virtual devices.
Hive found several advantages in altering its programming language, which is why it switched to the Rust model.
Hive ransomware is not the first ransomware group coded in Rust since BlackCat has been a pioneer entity that tried the language. Researchers indicated that the Rust language offers the threat actors several advantages such as memory, data type, and threat safety. It also sports the features of competent cryptographic libraries and reverses engineering difficulty.
Recent reports revealed that the Hive ransomware group had been actively targeting countries such as the United States, the United Kingdom, and Germany. The group and other entities have targeted more than 500 entities, such as manufacturing, small-scale businesses, and software development, between March 2021 and March 2022.
The monitored campaigns followed a chain pattern that included infecting the corporate network, deploying malware, removing shadow copies, deleting backups, and completing their objectives.
Users can counteract the strategies utilised by the newly discovered Hive ransomware strain by employing or adopting security considerations. Experts recommend that organisations include the IoCs in their reports to examine the existence of such threats in the wild and access potential intrusion.