According to a report by BleepingComputer, the Slovak Internet security company ESET discovered that the Hive ransomware group has developed new malware variants for encryption specifically targeting Linux and FreeBSD platforms. However, the new encryption machine of the Hive ransomware group is still under development and lacks functionality.
During the analysis process, ESET researchers discovered that the Linux version of the Hive ransomware proved to have obvious bugs. When the malware executes in an explicit path, the encryption will fail completely.
In addition, this Linux version automatically supports a single command line parameter (-no-wipe). In contrast, Hive's Windows version of ransomware provides up to 5 execution options, such as terminating the process, skipping disk cleanup, uninteresting files, and old files.
If executed without root privileges, the Linux version of the ransomware cannot trigger encryption, because it attempts to delete the ransom note on the root file system of the damaged device.
ESET Research Lab said: "Like the Windows version, these Linux version variants are also written in Go language, but the string, package name, and function name are all obfuscated. It is likely to be achieved through the obfuscation tool gobfuscate. "
The target of ransomware attacks begins to shift to Linux servers
It is understood that the ransomware organization Hive has been active since at least June 2021 and has attacked more than 30 organizations (including only victims who refused to pay the ransom).
However, Hive is only one of many ransomware groups that have started targeting Linux servers. By targeting virtual machines, ransomware operators can encrypt multiple servers simultaneously with one command.
It is reported that as early as June of this year, researchers discovered a new type of ransomware Linux encryption machine called REvil, which was designed for VMware ESXi virtual machine (a popular enterprise virtual machine platform).
Fabian Wosar, CTO of Emsisoft, a well-known virus security software in Austria, said in a media interview that other ransomware groups, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide and Hellokitty, have also created their own Linux encryption machines.
Wosar said: "Most ransomware groups implement Linux-based ransomware for specific reasons for ESXi."
According to reports, in the past period of time, Snatch and PureLocker ransomware operations have also used variants of Linux to conduct attacks.
In July and August of this year, the HelloKitty and Blackmate ransomware Linux encryption machines were all discovered by security researchers in the wild. One month later, after research, it was discovered that some of the Linux versions of the malware also contained bugs, which might damage the victim's files during the encryption process.
These also exactly confirmed Wosar's statement above.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。