Hive, one of the most prevalent ransomware-as-a-service variants, was rewritten in Rust. The malware sees more updates than previously thought, allowing attacks to slip under the radar.
Ransomware-as-a-service groups work like professional developers. One or more members develop and sell a malware variant. Instead of distribution, the group focuses on product development. The malware is typically available on a subscription basis. In exchange for a monthly fee, cyber criminals receive a user-friendly program and regular updates.
Hive was first discovered in 2021. In the past year, the variant has become one of the most popular forms. Hive is the product of a ransomware-as-a-service group, made evident by continuous updates and diverse users. During a recent analysis, the Microsoft Threat Intelligence Center (MSTIC) discovered that the malware has been rewritten in programming language Rust.
Rust remains under the radar
Hive has more versions than thought. According to the MSTIC, the developers push minor adjustments to avoid detection. Successfully so: none of the new versions were correctly identified as Hive at the time of the analysis
Hive was originally written in programming language Go. The new variant runs on Rust. The programming language has several advantages for ransomware-as-a-service groups. According to the MSTIC, the syntax is more user-friendly than Go, allowing group members to quickly collaborate. Moreover, Rust offers a wide choice of encryption algorithms. Finally, Rust programs are relatively difficult to reverse-engineer, leaving researchers in the dark.
Hive is not the first Rust-based ransomware. The trend was set by BlackCat, another popular variant. It’s a matter of time before other variants follow suit.
Ransomware-as-a-service groups are of interest to security providers. Having insight into an attacker’s malware allows you to intercept an attack. That’s why the MTICS actively investigates ransomware-as-a-service groups. Know your enemy, as they say.
Whenever the team discovers a variant’s workings, the information is processed in Microsoft’s security products, allowing the tech to block a variant or group. Microsoft 365 Defender and Microsoft Sentinel were updated to detect Hive’s new versions.