[MART] - Daily Diary #546 - New Hive Ransomware Written in Rust

CTAS-MAT ctas-mat at appgate.com
Wed Jul 6 19:53:33 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

07/06/2022 - Diary entry #546:

First discovered in June last year (and covered in our Daily Diary #332), Hive is a Ransomware threat that operates using the double-extortion model, stealing data before encrypting it and threatening to publish if the ransom is not paid.

Hive ransomware samples were written in Go language and their attacks have grown significantly in a short time, claiming attacks against 155 victims so far in their wall-of-shame blog, HiveLeaks. Now, a new version of Hive Ransomware was discovered, containing several upgrades.

Among its new upgrades, the new Hive Ransomware is now written in Rust language, it has more evasive encrypted strings, supports command-line arguments that provide flexibility when running the payload, and a complete change on its encryption algorithm. Now, Hive uses a different set of algorithms: Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305.

This new version of Hive was expected since February 2022, when a group of researchers published an article defeating Hive Ransomware encryption (covered in our Daily Diary #467). Right after that, this new variant was first uploaded to VirusTotal.

These upgrades reveal how effective is when a problem or flaw is found on the top of what we call “Pyramid of Pain“, when adversaries are forced to change their TTPs, therefore increasing the cost of their operation.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220706/2cc9f03e/attachment.htm>

More information about the MART mailing list