The Hive ransomware group has ported their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it more difficult for security researchers to eavesdrop on victims’ ransom conversations.
Ransomware gangs are designing dedicated encryptors that focus on these services as the company grows increasingly reliant on virtual machines to conserve computer resources, consolidate servers, and make backups easier.
Because VMware ESXI virtualization platforms are the most widely utilized in the enterprise, the ransomware gang’s Linux encryptors usually target them.
Hive has been targeting VMware ESXi systems with a Linux encryptor for some time, however a new sample demonstrates that they modified their encryptor with features initially revealed by the BlackCat/ALPHV ransomware operation.
BlackCat’s features are borrowed by Hive
When ransomware attacks a victim, the attackers try to negotiate in secret, warning victims that if a ransom is not paid, their data will be released, and they would suffer a reputational blow.
When ransomware samples are uploaded to public malware analysis platforms, security researchers are often able to extract the ransom letter and eavesdrop on talks.
In many situations, these negotiations are then made public on Twitter and elsewhere, resulting in the failure of the negotiations.
To avoid this, the BlackCat ransomware group disabled Tor negotiation URLs in their encryptor. Instead, when the encryptor was run, the URL had to be supplied as a command-line input.
Because the URL is not contained in the executable and is only supplied to the executable at run time, researchers who locate the sample are unable to get it.
Although the Hive Ransomware already requires a username and password to access a victim’s Tor negotiation page, these credentials were previously kept in the encryptor program, making them easy to recover.
The Hive operation now needs the attacker to submit the username and login password as a command-line parameter when executing the virus, according to a new Hive Linux encryptor discovered by Group-IB security researcher rivitna.
Hive ransomware has made it hard to recover negotiation login credentials from Linux malware variants by imitating BlackCat’s techniques, with the credentials now only available in ransom notes produced after the assault.
It’s unclear whether the Hive Windows encryptors are utilizing this additional command-line parameter at the moment, but if they aren’t, it’ll most certainly be added soon.
Hive continues to replicate BlackCat, according to Rivitna, by switching its Linux encryptor from Golang to the Rust programming language in order to make the ransomware samples more efficient and difficult to reverse engineer.
“Rust provides for safer, faster, and more efficient code, but code optimization complicates Rust program analysis,” rivitna told BleepingComputer in a Twitter conversation.
With the encryption of VMware ESXi virtual machines being such an important aspect of a successful assault, ransomware developers are continually improving their code to not only be more efficient, but also to keep their activities and negotiations hidden.
As more enterprises use virtualization for their servers, ransomware writers will continue to focus not only on Windows devices, but also on specific Linux encryptors for ESXi.
As a result, all security experts and network administrators must monitor their Linux systems for indicators of assault.
