The Hive ransomware group has ported their VMware ESXi Linux encryptor to the Rust programming language and added additional features to make it more difficult for security researchers to eavesdrop on sufferers’ ransom negotiations. As the business becomes increasingly dependent on virtual machines to conserve computer resources, consolidate servers, and make backups easier, ransomware gangs are designing specific encryptors that target these services.
Because VMware ESXI virtualization platforms are the most widely employed in the workplace, the ransomware gang’s Linux encryptors usually target them. Hive has been targeting VMware ESXi systems with a Linux encryptor for some time. However, a new sample demonstrates that they modified their encryptor using capabilities initially revealed by the BlackCat/ALPHV ransomware operation.
When ransomware attacks a target, the attackers try to negotiate in secret, warning victims that their data will be released if a ransom is not paid, and they would suffer reputational damage. When ransomware samples get uploaded to public malware analysis platforms, security researchers can often extract the ransom letter and eavesdrop on talks. In many situations, these talks are then made public on Twitter and elsewhere, failing the negotiations.
The BlackCat ransomware group disabled Tor negotiation URLs in their encryptor to avoid this. Instead, the URL must be given as a command-line parameter when using it. Since the URL is not contained in the executable and is only supplied at run time, this feature prohibits researchers who locate the sample from retrieving it. While the Hive Ransomware usually needs a username
and password to access the Tor negotiation page, these credentials were formerly kept in the encryptor executable, making them easy to recover. According to a new Hive Linux encryptor discovered by Group-IB security researcher rivitna, the Hive operation now needs the attacker to submit the user name and login password as a command-line parameter when executing the malware. Hive ransomware has made it challenging to recover negotiation login credentials from Linux malware variants by imitating BlackCat’s techniques. The credentials are now only available in ransom notes produced after the attack.
It’s unclear whether the Hive Windows encryptors are employing this additional command-line parameter at the moment, but if they aren’t, it’ll most certainly be added soon. According to Rivitna, Hive continues to emulate BlackCat by converting its Linux encryptor from Golang to the Rust programming language to make the ransomware samples more efficient and difficult to reverse engineer.
“Rust allows to get safer, fast, and efficient code, while code optimization complicates analysis of Rust program,” rivitna disclosed in a chat on Twitter.
With encryption of the VMware ESXi virtual machines being such an important aspect of a successful attack, ransomware developers are continually improving their code not only to be more efficient but also to keep their activities and negotiations secret. As more enterprises use virtualization for their servers, ransomware writers will continue to focus on Windows devices and specific Linux encryptors for ESXi. As a result, all security experts and network administrators must monitor their Linux systems for attack indicators.
