BOOK THIS SPACE FOR AD
ARTICLE ADThe Hive ransomware gang ported its encryptor to the Rust programming language and implemented new features.
The Hive ransomware operation has developed a Rust version of their encryptor and added new features to prevent curious from snooping on the victim’s ransom negotiations.
According to BleepingComputer, which focused on Linux VMware ESXi encryptor, the Hive ransomware operators have updated their encryptor by introducing features that were implemented in the past by the BlackCat/ALPHV ransomware operation.
The BlackCat ransomware gang, unlike other ransomware operations, removed Tor negotiation URLs from their encryptor to prevent third parties from accessing the negotiation page and interfering in the communication between the victims and the gang. The URL in the BlackCat’s approach is passed as a command-line argument when the encryptor is executed.
In previous infections of Hive ransomware, victims were asked to connect to the negotiation page by using login credentials assigned to them and that were previously stored in the encryptor executable. This was to store credentials represented a weakness in the negotiation process.
The Rust version of the Hive Linux encryptor, version v5, was spotted by the Group-IB security researcher rivitna, who highlighted that is has a 0 detection rate. The researchers also noticed that Hive ransomware operation has ported builds (Windows, Linux, ESXi) to Rust using the same sources.
Thanks a lot for the article!
Lawrence focused on ESXi in the article, but this applies to all builds (Windows, Linux, ESXi). All builds are developed on the same Rust sources.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, ransomware)