BlackCat Ransomware Switched from Go to Rust
fliptop writes:
Microsoft security researchers have discovered new variants of the one-year-old Hive ransomware that was written in the Go programming language but has been re-written in Rust:
Hive emerged in June 2021 and was spotlighted by the FBI in an alert two months later. In November, European electronics retail giant MediaMarkt also got stung by Hive. It's another ransomware-as-a-service (RaaS) double-extortion gang that has recently been targeting vulnerable Microsoft Exchange Servers, vulnerable RDP servers, compromised VPN credentials, and phishing to deploy their ransomware and steal leak-worthy information.
Hive's Rust migration has been underway for a few months as it adopted lessons from BlackCat ransomware, which is also written in Rust. Via BleepingComputer, Group-IB researchers in March found that Hive had converted its Linux encryptor (for targeting VMware ESXi servers) to Rust to make it harder for security researchers to spy on its ransom talks with victims.
Microsoft's analysis indicates that Hive's Rust rewrite is much more comprehensive, but backs up the importance of the change to its encryption methods noted in March.
[...] "Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension," Microsoft notes.
Read more of this story at SoylentNews.