{
	"id": "162e8033-241c-4453-86a0-fd0e2c1b1de5",
	"created_at": "2026-04-06T00:16:47.188687Z",
	"updated_at": "2026-04-10T13:11:56.874053Z",
	"deleted_at": null,
	"sha1_hash": "4b7299333cbf286e0b0da21e2fec5d179a48aeee",
	"title": "Hive ransomware ports its Linux VMware ESXi encryptor to Rust",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3187022,
	"plain_text": "Hive ransomware ports its Linux VMware ESXi encryptor to Rust\r\nBy Lawrence Abrams\r\nPublished: 2022-03-27 · Archived: 2026-04-05 19:10:34 UTC\r\nThe Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and\r\nadded new features to make it harder for security researchers to snoop on victim's ransom negotiations.\r\nAs the enterprise becomes increasingly reliant on virtual machines to save computer resources, consolidate servers, and for\r\neasier backups, ransomware gangs are creating dedicated encryptors that focus on these services.\r\nRansomware gang's Linux encryptors typically target the VMware ESXI virtualization platforms as they are the most\r\ncommonly used in the enterprise.\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile Hive has been using a Linux encryptor to target VMware ESXi servers for some time, a recent sample shows that\r\nthey updated their encryptor with features first introduced by the BlackCat/ALPHV ransomware operation.\r\nHive borrows features from BlackCat\r\nWhen ransomware operations attack a victim, they try to conduct their negotiations in private, telling victims if a ransom is\r\nnot paid their data will be published and they will suffer a reputational hit.\r\nHowever, when ransomware samples are uploaded to public malware analysis services, they are commonly found by\r\nsecurity researchers who can extract the ransom note and snoop on negotiations.\r\nIn many cases, these negotiations are then publicized on Twitter and elsewhere, causing negotiations to fail.\r\nThe BlackCat ransomware gang removed Tor negotiation URLs from their encryptor to prevent this from happening.\r\nInstead, it required the URL to be passed as a command-line argument when the encryptor is executed.\r\nThis feature prevents researchers who find the sample from retrieving the URL as it's not included in the executable and\r\nonly passed to the executable at run time.\r\nWhile the Hive Ransomware already requires a login name and password to access a victim's Tor negotiation page, these\r\ncredentials were previously stored in encryptor executable, making them easy to retrieve.\r\nHive Tor ransom negotiation site\r\nIn a new Hive Linux encryptor found by Group-IB security researcher rivitna, the Hive operation now requires the attacker\r\nto supply the user name and login password as a command-line argument when launching the malware.\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/\r\nPage 3 of 5\n\nInstructions to Hive ransomware affiliates\r\nSource: rivitna\r\nBy copying BlackCat's tactics, the Hive ransomware operation has made it impossible to retrieve negotiation login\r\ncredentials from Linux malware samples, with the credentials now only available in ransom notes created during the attack.\r\nRansomware expert Michael Gillespie told BleepingComputer that the Windows executables were also modified to require\r\nthe credentials be passed as a command-line argument during encryption.\r\nRivitna also told BleepingComputer that Hive continued to copy BlackCat by porting their Linux encryptor from Golang to\r\nthe Rust programming language to make the ransomware samples more efficient and harder to reverse engineer.\r\n\"Rust allows to get safer, fast, and efficient code, while code optimization complicates analysis of Rust program,\" rivitna\r\ntold BleepingComputer in a chat on Twitter.\r\nWith the encryption of VMware ESXi virtual machines a critical part of a successful attack, ransomware operations\r\nare constantly evolving their code to not only be more efficient, but to keep the operations and negotiations secret.\r\nAs more businesses move to virtualization for their servers, we will continue to see ransomware developers not only focus\r\non Windows devices, but also create dedicated Linux encryptors targeting ESXi.\r\nDue to this, all security professionals and network admins need to pay close attention to their Linux servers to detect signs of\r\nattacks.\r\nUpdate 3/30/22: Added information about changes to Windows encryptors.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/\r\nhttps://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/"
	],
	"report_names": [
		"hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434607,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b7299333cbf286e0b0da21e2fec5d179a48aeee.pdf",
		"text": "https://archive.orkl.eu/4b7299333cbf286e0b0da21e2fec5d179a48aeee.txt",
		"img": "https://archive.orkl.eu/4b7299333cbf286e0b0da21e2fec5d179a48aeee.jpg"
	}
}