The creators of the Hive ransomware have translated their VMware ESXi Linux cryptographer into the Rust programming language and added several new features that make it more difficult for researchers to monitor negotiations between victims and extortionists.
As enterprises become more and more dependent on virtual machines to save computing resources, consolidated servers and faster backups, ransomware operators create special cryptographers for these services.
Linux cryptographers usually attack VMware ESXI virtualization platforms, as they are most often used in enterprises.
Although the Hive ransomware has been using the Linux cryptographer to attack VMware ESXi servers for some time, judging by the new samples, they have updated the cryptographer by adding features that first appeared in the BlackCat/ALPHV ransomware.
When ransomware attacks a victim, they tend to negotiate with her about the ransom in strict confidence. However, when a sample of the cryptographer gets to open services for malware analysis, they are immediately studied by researchers who find a ransom note and can observe the course of negotiations. In many cases, negotiations are published in the public domain, and the deal to pay the ransom is disrupted.
In order to avoid this, BlackCat operators have removed the URLs of the pages in Tor where negotiations are being conducted from their cryptographer. Instead, the URL is passed as a command-line argument during the execution of the ransomware. And because of this, researchers studying the cryptographer cannot get the URL of the pages where negotiations are conducted.
Although Hive had previously required a username and password to access the Tor negotiation page, these credentials were stored in the encryptor executable file, which made it easier to get them.
The new Hive Cryptographer, detected The rivitna security researcher of the Group-IB company now requires an attacker to specify a username and password to log in as a command-line argument when launching malware. By copying BlackCat’s tactics, Hive made it impossible to obtain login credentials from the cryptographer’s samples, since from now on they are only available in ransom notes created during the attack.
In addition, Hive no longer uses the Golang programming language, but Rust, which has increased its performance and complicated reverse engineering.