Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Hive ransomware ports its Linux VMware ESXi encryptor to Rust

The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victim’s ransom negotiations.

As the enterprise becomes increasingly reliant on virtual machines to save computer resources, consolidate servers, and for easier backups, ransomware gangs are creating dedicated encryptors that focus on these services.

Ransomware gang’s Linux encryptors typically target the VMware ESXI virtualization platforms as they are the most commonly used in the enterprise.

While Hive has been using a Linux encryptor to target VMware ESXi servers for some time, a recent sample shows that they updated their encryptor with features first introduced by the BlackCat/ALPHV ransomware operation.

Hive borrows features from BlackCat

When ransomware operations attack a victim, they try to conduct their negotiations in private, telling victims if a ransom is not paid their data will be published and they will suffer a reputational hit.

However, when ransomware samples are uploaded to public malware analysis services, they are commonly found by security researchers who can extract the ransom note and snoop on negotiations.

In many cases, these negotiations are then publicized on Twitter and elsewhere, causing negotiations to fail.

The BlackCat ransomware gang removed Tor negotiation URLs from their encryptor to prevent this from happening. Instead, it required the URL to be passed as a command-line argument when the encryptor is executed.

This feature prevents researchers who find the sample from retrieving the URL as it’s not included in the executable and only passed to the executable at run time.

While the Hive Ransomware already requires a login name and password to access a victim’s Tor negotiation page, these credentials were previously stored in encryptor executable, making them easy to retrieve.

Hive Tor ransom negotiation site
Hive Tor ransom negotiation site

In a new Hive Linux encryptor found by Group-IB security researcher rivitna, the Hive operation now requires the attacker to supply the user name and login password as a command-line argument when launching the malware.

Instructions to Hive ransomware affiliates
Instructions to Hive ransomware affiliates
Source: rivitna

By copying BlackCat’s tactics, the Hive ransomware operation has made it impossible to retrieve negotiation login credentials from Linux malware samples, with the credentials now only available in ransom notes created during the attack.

It is not known if the Hive Windows encryptors are also using this new command-line argument at this time, but if not, we will likely see it added shortly.

Rivitna also told BleepingComputer that Hive continued to copy BlackCat by porting their Linux encryptor from Golang to the Rust programming language to make the ransomware samples more efficient and harder to reverse engineer.

“Rust allows to get safer, fast, and efficient code, while code optimization complicates analysis of Rust program,” rivitna told BleepingComputer in a chat on Twitter.

With the encryption of VMware ESXi virtual machines a critical part of a successful attack, ransomware operations are constantly evolving their code to not only be more efficient, but to keep the operations and negotiations secret.

As more businesses move to virtualization for their servers, we will continue to see ransomware developers not only focus on Windows devices, but also create dedicated Linux encryptors targeting ESXi.

Advertisement. Scroll to continue reading.

Due to this, all security professionals and network admins need to pay close attention to their Linux servers to detect signs of attacks.

Source: https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Cyber Security

Security researchers have dissected a recently emerged ransomware strain named ‘Big Head’ that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word...

Cyber Security

A cybersecurity advisory issued Wednesday said that a major ransomware group had successfully exploited a previously unknown vulnerability in Progress Software’s MOVEit software. The...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO