The Hive ransomware gang now also encrypts Linux and FreeBSD using new variants designed specifically for these platforms. Slovak cybersecurity company ESET, which discovered the new variants, says the new crypters are still under development and still lack functionality.
The Linux variant also proved to be quite problematic during ESET’s analysis, with encryption failing completely when the malware was executed, with an explicit path. It also comes with support for a single command-line parameter (-no-wipe). In contrast, the Windows variant comes with up to five execution options, including processes of erasing and skipping disk cleanup, uninteresting files, and older files.
The Linux version of the ransomware also fails to trigger encryption if run without root privileges (user with unlimited privileges) because it tries to drop the ransom note on root file systems of compromised devices.
“Like the Windows version, these variants are written in Golang, but the strings, package names and function names have been obfuscated, probably with gofuscate,” said ESET Research Labs.
Hive has been a ransomware group active since at least June and has reached over 30 organizations, counting only victims who refused to pay the ransom. It is one of many ransomware gangs that began targeting Linux servers after their business targets slowly migrated to virtual machines to facilitate device management and more efficient use of resources.