• Tue. May 21st, 2024

Hive ransomware ports its Linux VMware ESXi encryptor to Rust


Mar 27, 2022

hive ransomware

The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop into the victim’s ransom negotiations.

With the enterprise increasingly reliant on virtual machines to conserve computing resources, consolidate servers, and simplify backups, ransomware gangs are creating special ciphers that target these services.

The ransomware gang’s Linux encryptors mostly target the VMware ESXI virtualization platforms as they are the most widely used in the enterprise.

While Hive has been using a Linux encryptor to target VMware ESXi servers for some time, a recent example shows they updated their encryptor with features first introduced by the BlackCat/ALPHV ransomware operation.

Hive borrows features from BlackCat

When ransomware operations attack a victim, they try to keep their negotiations private, telling victims that if the ransom is not paid, their data will be published and they will suffer reputational damage.

However, when ransomware samples are uploaded to public malware analysis services, they are often found by security researchers who can extract the ransom note and watch it negotiate.

In many cases, these negotiations are then published on Twitter and elsewhere, causing the negotiations to fail.

The BlackCat ransomware gang has removed Tor negotiation URLs from their encryptor to prevent this. Instead, the URL had to be passed as a command line argument when the encryptor is run.

This feature prevents researchers who find the example from getting the URL because it is not included in the executable and is only passed to the executable at runtime.

Although the Hive Ransomware already requires a login name and password to access a victim’s Tor negotiation page, these credentials were previously stored in an executable encryption file, making them easy to retrieve.

Hive Tor ransom negotiation siteHive Tor ransom negotiation site

In a new Hive Linux encryptor found by Group-IB security researcher rivitnathe Hive operation now requires the attacker to provide the username and login password as a command-line argument when launching the malware.

Instructions for Hive ransomware affiliatesInstructions for Hive ransomware affiliates
source: rivitna

By copying BlackCat’s tactics, the Hive ransomware operation has made it impossible to retrieve negotiation credentials from Linux malware samples, with credentials now available only in ransom notes created during the attack.

It’s unknown if the Hive Windows encryptors currently use this new command-line argument, but if they don’t, we’ll likely see it added soon.

Rivitnan BleepingComputer also told Hive that Hive continued to copy BlackCat by porting their Linux encryptor from Golang to the Rust programming language to make the ransomware samples more efficient and harder to reverse engineer.

“Rust makes it possible to get more secure, fast and efficient code, while code optimization complicates the analysis of the Rust program,” Rivitna told BleepingComputer in a chat on Twitter.

Because the encryption of VMware ESXi virtual machines is a critical part of a successful attack, ransomware operations are constantly developing their code to not only be more efficient, but also to keep operations and negotiations secret.

As more companies move to virtualization for their servers, we will continue to see ransomware developers targeting not only Windows devices, but also creating dedicated Linux encryptors that target ESXi.

Therefore, all security professionals and network administrators should pay close attention to their Linux servers to detect signs of attacks.

This post Hive ransomware ports its Linux VMware ESXi encryptor to Rust

was original published at “https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/”

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *