Threat Watch

Hive Ransomware Variant Encrypts Linux and FreeBSD

Researchers discovered a new Hive ransomware variant that encrypts Linux and FreeBSD. An earlier analysis of the Windows variant had strong indicators that that the group may be able to infect other operating systems. The latest research now confirms those suspicions. “Just like the Windows version, these variants are written in #Golang, but the strings, package names and function names have been obfuscated, likely with gobfuscate,” ESET Research Labs stated. Currently, the Linux variant appears to still be under development and not yet fully featured.

The research demonstrates that threat actors are evolving as organizations rapidly migrate to cloud environments, many of which run on Linux. Additionally, virtual machines such as VMware ESXi are targeted, which is a popular enterprise virtual machine platform. By targeting virtual machines, the operators can encrypt multiple servers at once with a single command. However, as most organizations continue to use Windows, it remains to be the attack vector of choice.

ANALYST NOTES

IoCs:
Linux x86-64 ELF : 77D7614156607B68265B122FB35A1D408625CB96
FreeBSD x86-64 ELF: 10BD0F1D3122D6575E882BA8F025EB11B0A95B61

/4oEi_HOW_TO_DECRYPT.txt
*..21k5p

Linux/Filecoder.Hive.A trojan
FreeBSD/Filecoder.Hive.A trojan

194.5.252[.]190

Ransomware gangs will continue seeking new market opportunities as organizations grow and shift. As a first line of defense, all systems should be well managed and maintained.

Additional prevention measures include:
* Update software regularly.
* Remove single points of failure by backing up critical data and diversifying the storage media.
* Assign least privileges needed for users.
* Use network segmentation.
* Adopt a strong password policy.

https://www.scmagazine.com/news/cloud-security/hive-ransomware-group-extends-to-cloud-based-linux-variants