The Hive ransomware has been upgraded to target Linux and FreeBSD systems, researchers at Slovak cybersecurity firm ESET have discovered.
“Just like the Windows version, these variants are written in Golang, but the strings, package names and function names have been obfuscated, likely with gobfuscate,” ESET said in a series of tweets.
The researchers believe that Hive's new encryptors are still in development and lack some functions, as the Linux variant examined by ESET appeared to be quite baggy. During the analysis they found that the encryption process does not work when the malware is executed with an explicit path.
Unlike the Windows variant that supports up to 5 execution options, the Linux version supports only one command line parameter (-no-wipe). ESET also noticed that the malware fails when attempting to write the ransom note and key information to the filesystem root and the encryption is not even triggered, unless the malware is executed with root privileges.
First spotted in June 2021, the Hive ransomware relies on a variety of tactics, techniques, and procedures (TTPs) in order to breach enterprise networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.
In August, the Federal Bureau of Investigation (FBI) released a flash alert providing some technical details and Indicators of Compromise (IoCs) associated with the Hive ransomware.