ESET found a variant of the Hive ransomware that encrypts Linux and FreeBSD

Pierluigi Paganini October 29, 2021

The Hive ransomware operators have developed a new variant of their malware that can encrypt Linux and FreeBSD.

ESET researchers discovered a new Hive ransomware variant that was specifically developed to encrypt Linux and FreeBSD. Researchers at the cybersecurity firm believe that the new encryptors are still under development.

Hive ransomware

Both variants are written in Golang, but the strings, package names and function names have been obfuscated.

The Linux variant seems to be affected by some bugs, the researchers noticed that the encryption process does not work when the malware is executed with an explicit path.

Unlike the Windows variant of the ransomware that supports up to 5 execution options, the new Linux and FreeBSD variants only support one command line parameter (-no-wipe).

According to ESET, Linux version of the Hive ransomware also fails to trigger the encryption if it is not executed with root privileges.

In August, The Federal Bureau of Investigation (FBI) released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang.

The Hive gang has been active since June 2021, it implements a Ransomware-as-a-Service model and employs a wide variety of tactics, techniques, and procedures (TTPs). Government experts state that the group uses multiple mechanisms to compromise networks of the victims, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.

In order to facilitate file encryption, the ransomware look for processes associated with backups, anti-virus/anti-spyware, and file copying and terminates them. The Hive ransomware adds the .hive extension to the filename of encrypted files. 

According to the experts, Hive operators have already hit tens of organizations and the discovery of a Linux variant demonstrates that the gang is expanding its operations.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment