Hive ransomware's latest variant carries several major upgrades, says Microsoft

Microsoft Threat Intelligence Center (MSTIC) has discovered a new variant of the Hive ransomware, which was first observed in June 2021. The latest variant carries several major upgrades, with the most notable changes including a full code migration to another programming language and the use of a more complex encryption method.

"With its latest variant carrying several major upgrades, Hive also proves it's one of the fastest evolving ransomware families, exemplifying the continuously changing ransomware ecosystem," the MSTIC team wrote in a blog post providing an in-depth analysis of the new Hive variant, including its main features and upgrades.

According to Microsoft security researchers, the programming language used in old variants was Go (also referred to as GoLang), while the new Hive variant is written in Rust. By switching the underlying code to Rust, the ransomware benefits from the following advantages that Rust has over other languages:

• It offers memory, data type, and thread safety
• It has deep control over low-level resources
• It has a user-friendly syntax
• It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption
• It has a good variety of cryptographic libraries
• It’s relatively more difficult to reverse-engineer

Another difference between the old and the new Hive variant is that the latter uses string encryption that can make it more evasive.

Next up, Hive's ransom note has also changed, with the new version referencing the .keyfiles with their new file name convention and adding a sentence about virtual machines (VMs).

The most interesting change in the Hive variant, according to MSTIC, is its cryptography mechanism. The new variant uses a unique approach to file encryption. Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension.

More details can be found here.