Hive ransomware was first observed in the June of 2021. The ransomware group majorly targeted the Healthcare sector and uses several platforms like EXSi, Linux, hypervisors, and Windows. Hive used Goland for their ransomware. The ransomware possesses the capability to move laterally within the victim organization and escalate privileges to encrypt and steal data. The group uses phishing emails to lure the victims.
Researcher rivitna recently found that Hive’s new feature set now resembles that of BlackCat/ALPHV. In case of a ransomware attack, the victim is urged by the threat actor to communicate via a given link. This link contains information on the ongoing negotiations. However, if a malware sample is uploaded on a malware analysis service, security researchers can find these links and tap the communications. The BlackCat group prevented this from happening by removing Tor negotiations URLs from their encryptors. Hive has followed suit and now “requires the attacker to supply the username and login password as a command-line argument when launching the malware.”
Another way in which Hive has copied BlackCat is by shifting from Golang to the Rust programming language.