Các bài viết liên quan:
Hive Program Operators ransomware-as-a-service (RaaS) overhauled their file encryption software to move entirely to Rust and adopt a more sophisticated encryption method.
“With the latest variant bringing some major upgrades, Hive also proves to be one of the fastest growing ransomware families, testament to the constantly changing ransomware ecosystem.” Microsoft Threat Intelligence Center (MSTIC) said in a report Tuesday.
Hive, first observed in June 2021, has emerged as one of the most prolific RaaS pools, accounting for 17 attacks in May 2022 alone, along with Black Basta and Conti.
The switch from GoLang to Rust makes Hive the second line of ransomware after BlackCat written in a programming language, allowing the malware to have additional benefits such as memory safety and deeper control over level resources. low as well as take advantage of a wide range of cryptographic libraries.
What it also offers is malware visibility against reverse engineering, making it easier to evade. Moreover, it comes with features to terminate services and processes related to security solutions that may cause it to stop working.
Hive is no different from other ransomware families in that it deletes backups to prevent restore, but what changes dramatically in the new Rust-based variant is its approach to file encryption.
“Instead of embedding an encrypted key in each file it encrypts, it generates two sets of keys in memory, uses them to encrypt the files, and then encrypts and writes the sets to the root of the drive. disk it encrypts, both with the .key extension,” explains MSTIC.
To determine which of the two keys is used to lock a particular file, an encrypted file is renamed to include the filename containing the key then followed by an underscore and the Base64 encoded string ( for example, “C: myphoto.jpg .l0Zn68cb _ -B82BhIaGhI8 “) points to two different locations in the respective .key file.
The findings come as the threat actor behind the lesser-known AstraLocker ransomware has shut down and released a decryption tool as part of the transition to cryptojacking, Bleeping Computer reported this week.
But in a sign that the cybercrime landscape is constantly changing, cybersecurity researchers have discovered a new family of ransomware called RedAlert (aka N13V) that is capable of targeting both Windows and Linux servers VMWare ESXi.
.
