The ransomware group “Hive” has developed a new type of malware that has been developed to target Linux and FreeBSD, and has been found to encrypt Linux and FreeBSD as well.
ESETresearch has identified Linux and FreeBSD variants of the Hive ransomware. like the Windows version, these variants are written in Golang, but the strings, package names, and function names are obfuscated using gobfuscate. Like the Windows version, these variants are written in Golang, but the strings, package names, and function names are obfuscated using gobfuscate.
As Internet security firm ESET has discovered, Hive’s new attack tool is still under development and not yet fully functional.
ESET’s analysis revealed that this Linux version had a significant bug that caused the encryption to fail completely when the malware was run with an explicit path.
Although it also only supports one command line parameter (-no-wipe), Hive’s Windows ransomware provides up to five execution options, including killing processes, cleaning the disk, and skipping uninteresting or old files.
In addition, the Linux version of this ransomware will try to drop a ransom note on the root file system of the infected device, which will fail to trigger encryption if run without root privileges.
Ransomware Group Becomes Interested in Linux Servers
Hive is a ransomware group that has been active since June 2021, and counting only the victims who refused to pay the ransom, more than 30 organizations have already been affected.
They are one of the many ransomware groups that started targeting Linux servers after enterprise targets gradually migrated to virtual machines for easier device management and more efficient use of resources.
By targeting virtual machines, ransomware groups are able to encrypt multiple servers at once with a single command.
In June 2021, a new ransomware “R Evil” encryption tool for Linux was discovered that was designed to target VMware ESXi virtual machines, a popular enterprise virtual machine platform.
Fabian Wosar, CTO of Emsisoft, said that other ransomware groups such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide and Hellokitty have also created their own Linux encryption tools that they have created their own Linux encryption tools.
The reason why most ransomware groups have implemented Linux-based ransomware is to specifically target ESXi
This prediction turned out to be true, as we were able to confirm that the Linux encryption tools in the HelloKitty and BlackMatter ransomware were indeed in use in July and August 2021.
And it turns out that some of these Linux malware also have a bug that can damage the victim’s files during encryption.
In the past, Linux variants were also used in the Snatch and PureLocker ransomware attacks.