Researchers have identified Linux and FreeBSD variants of the Hive ransomware that security experts say demonstrates how these type of threat actors are moving into other operating systems and are looking to attack cloud apps.
In a tweet on Friday, the ESET researchers posted that just like the Windows version, the Linux and FreeBSD variants are written in Golang, but the strings, package names, and function names have been obfuscated, likely with gobfuscate, which lets developers compile a Go binary from obfuscated source code.
This new discovery from ESET clearly shows that attackers are thinking about Linux and cloud environments, many of which operate on Linux, said John Bambenek, principal threat hunter at Netenrich.
“It is not uncommon that buggy versions of malware are found in the wild, especially when there’s a platform shift,” Bambenek said. “However, since Linux systems tend to be more public facing, it's likely that the attackers are thinking of ways to truly impact the bottom-lines of victims to increase the incentive to pay.”
Chuck Everette, director of cybersecurity advocacy at Deep Instinct, added that it’s not surprising that ransomware has evolved to now include other operating systems such as Linux, Mac iOS, and VMware ESXi. Everette said while operating systems such as Linux and Mac are now being regularly targeted by cybercriminal gangs, Microsoft Windows operating systems are still the attack vector of choice for the vast majority of all the attacks because of the sheer number of Windows systems compared with other operating systems.
“However, as more organizations embrace the digital transformation and migrate from their secure data centers to the cloud, the threat landscape continues to grow with that migration, Everette said. “Cloud applications that are now running on non-Windows operating systems such as Linux, are also under attack from these cyber criminals. For many years, Linux was thought to be a safe haven from common malware and ransomware attacks due to a smaller percentage of organizations utilizing it. However, that has finally changed with cyber criminals expanding their attacks into new operating systems spaces."
Having a ransomware variant that can encrypt Linux systems greatly expands the scope of devices and data a ransomware group can attack, said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. Morgan said while the Linux version of the Hive ransomware has reportedly been malfunctioning, Hive will undoubtedly continue to develop this malware because of the additional opportunities it could provide.
“Other ransomware groups, which include REvil and RansomEXX, have been reportedly targeting Linux systems, often with the aim of disabling backup servers,” Morgan said. “By removing a targeted company's ability to restore affected systems, Hive will likely be able to greatly increase their chances of receiving a ransom payment.”
Caleb Stewart, security researcher at Huntress, said the original ransomware was written in Golang, which is inherently cross-platform, so the bulk of the encryption code would need minimal modification to run in a Linux environment. Stewart said the samples from the ESET research appear to be early "alpha" or "beta" versions that are not yet fully featured.
“This makes sense as the other options available in the original Hive ransomware were things like processes or services to kill/stop, which are specific to the operating system,” Stewart said. “Moreover, services on Linux can be different depending on OS distribution, so killing a service can be complex if a team requires support across multiple distributions and versions.”
