According to government experts, Hive operators have entered tens of organizations and the discovery of a Linux variant shows that the group is expanding its operations. The group uses a variety of methods to compromise victims’ networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.
In August, The Federal Bureau of Investigation (FBI) released a flash alert on the Hive ransomware attacks that includes technical details and indicators of compromise associated with the operations of the gang.
To promote file encryption, the ransomware searches for and terminates processes associated with backups, anti-virus/anti-spyware, and file copying. The Hive ransomware appends the.hive extension to encrypted files’ filenames.
Both variants are written in Golang, but the strings, package names and function names have been obfuscated.
The Linux variant appears to be affected by bugs; the researchers discovered that the encryption process fails when the malware is executed with an explicit path.
Unlike the Windows variant, which has up to five execution options, the new Linux and FreeBSD variants only have one command line parameter (-no-wipe).
https://platform.twitter.com/widgets.jsIt also only supports only one command line parameter (-no-wipe), while the Windows variant supports up to 5 execution options. 4/6 pic.twitter.com/NX1fGkpMnI
— ESET research (@ESETresearch) October 29, 2021
To facilitate file encryption, the ransomware searches for and terminates processes associated with backups, anti-virus/anti-spyware, and file copying. The Hive ransomware appends the.hive extension to encrypted files’ filenames.
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 