Chris Swagler | November 4th, 2021

Hive Ransomware

The Hive ransomware group developed a new variant that specifically targets the Linux and FreeBSD operating systems. However, Hive’s new encryptors are still in the development stage and lack functionality, according to researchers at a cybersecurity firm. When the malware is executed with an explicit path, the Linux variant fails to implement the encryption process properly due to having bugs.

Both Hive’s Linux and FreeBSD variants support only one command line parameter (-no-wipe), whereas the Window’s ransomware variant supports five execution options, including killing processes and skipping disk cleaning, uninteresting files, and older files. The Linux version of the ransomware fails to implement the encryption process when executed without root privileges. The variant fails because it attempts to drop the ransom note on compromised devices’ root file systems. Researchers observed the encryption process of Hive’s new variant and anticipated it to be still under development.

Since June 2021, Hive has been operating as a Ransomware-as-a-Service (RaaS), hitting over 30 companies, and only identifying victims refusing to pay the ransom. The group uses phishing emails with malicious attachments to gain access to the victims’ networks. They implement the Remote Desktop Protocol (RDP) to move across the network once inside. To execute the file encryption, the ransomware searches for processes related to backups, antivirus or antispyware, and file copying and then terminates them.

Hive is one of many ransomware groups targeting Linux servers, often after companies transition to virtual machines for more efficient use of resources and easier device management. With a single command, ransomware operators can encrypt multiple servers at once when targeting virtual machines.

The Federal Bureau of Investigation (FBI) issued an alert in August regarding Hive ransomware attacks, including technical details and indicators of compromise related to the group’s operations. The disclosure of Hive’s Linux and FreeBSD variants suggests that the developers are actively invested in advancing this malware. Additionally, it’s an indication that companies should always be knowledgeable of the current latest threat landscape and complete a risk assessment to improve their network’s security vulnerabilities.

At SpearTip, our team of certified engineers continuously monitors your networks 24/7 at our three Security Operations Center locations for potential threats like those executed by the Hive ransomware group. With SpearTip’s ShadowSpear Platform, our endpoint detection and response tool, working in tandem with our Security Operations Center as a Service (SOCaaS), we can identify, neutralize, and counter potential ransomware threats like Hive before they can infiltrate any of your operating systems, including Linux and FreeBSD.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.