Hive's Rust migration has been underway for a few months as it adopted lessons from BlackCat ransomware, which is also written in Rust. Via BleepingComputer, Group-IB researchers in March found that Hive had converted its Linux encryptor (for targeting VMware ESXi servers) to Rust to make it harder for security researchers to spy on its ransom talks with victims.
"The impact of these updates is far-reaching, considering that Hive is a RaaS payload that Microsoft has observed in attacks against organizations in the healthcare and software industries by large ransomware affiliates like DEV-0237."
Microsoft lists the main benefits of Rust over other languages that make it one of the most desired languages among programmers, such as better memory safety and good crypto library support.
The benefits to Hive of moving to Rust, according to Microsoft are:
It offers memory, data type, and thread safety
It has deep control over low-level resources
It has a user-friendly syntax
It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption
It has a good variety of cryptographic libraries
It's relatively more difficult to reverse-engineer
Microsoft found that the new ransom note differs from the one used in older variants. The new note instructs victims: "Do not delete or reinstall VMs. There will be nothing to decrypt" and "Do not modify, rename or delete *.key files. Your data will be undecryptable." The *.key files are the files that Hive has encrypted.
It reckons the most interesting change to Hive was the new cryptography mechanism, which happened in late February, a few days after researchers from Kookmin University in South Korea published the paper "A Method for Decrypting Data Infected with Hive Ransomware". The researchers recovered 95% of the master key without Hive's RSA private key and then decrypted the data.
Hive also adopted a unique approach to file encryption.
"Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension," Microsoft notes.