Pierluigi Paganini
October 29, 2021
ESET researchers discovered a new Hive ransomware variant that was specifically developed to encrypt Linux and FreeBSD. Researchers at the cybersecurity firm believe that the new encryptors are still under development.
Both variants are written in Golang, but the strings, package names and function names have been obfuscated.
#ESETresearch has identified Linux and FreeBSD variants of the #Hive #Ransomware. Just like the Windows version, these variants are written in #Golang, but the strings, package names and function names have been obfuscated, likely with gobfuscate. 1/6 pic.twitter.com/dBw0E5pj6r
— ESET Research (@ESETresearch) October 29, 2021
The Linux variant seems to be affected by some bugs, the researchers noticed that the encryption process does not work when the malware is executed with an explicit path.
Unlike the Windows variant of the ransomware that supports up to 5 execution options, the new Linux and FreeBSD variants only support one command line parameter (-no-wipe).
According to ESET, Linux version of the Hive ransomware also fails to trigger the encryption if it is not executed with root privileges.
The malware also tries to write the ransom note and key information file to the filesystem root, so unless executed with root privileges, it fails and the encryption is not even triggered. These facts lead us to believe that the Linux variant is still in development phase. 5/6 pic.twitter.com/tuwQKJpFml
— ESET Research (@ESETresearch) October 29, 2021
In August, The Federal Bureau of Investigation (FBI) released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang.
The Hive gang has been active since June 2021, it implements a Ransomware-as-a-Service model and employs a wide variety of tactics, techniques, and procedures (TTPs). Government experts state that the group uses multiple mechanisms to compromise networks of the victims, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.
In order to facilitate file encryption, the ransomware look for processes associated with backups, anti-virus/anti-spyware, and file copying and terminates them. The Hive ransomware adds the .hive extension to the filename of encrypted files.
According to the experts, Hive operators have already hit tens of organizations and the discovery of a Linux variant demonstrates that the gang is expanding its operations.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
