Hive Ransomware Targets Linux: Bugs, New Features, and Industry Shift

ESET, a Slovak internet security firm, reported that the Hive ransomware group has started targeting Linux and FreeBSD platforms, releasing new malicious variants for encryption, although the new encryption engine still lacks some functionality.

Analysis revealed a critical bug in the Linux version: when the malware is executed via an explicit path, the encryption process fails entirely.

The Linux variant automatically supports a single command‑line argument ( -no-wipe), whereas the Windows version offers up to five execution options such as terminating processes or skipping disk cleanup.

Without root privileges the Linux ransomware cannot trigger encryption because it attempts to delete the ransom note on the root filesystem.

ESET’s lab noted that, like the Windows version, the Linux binaries are written in Go but heavily obfuscated—likely using the gobfuscate tool—to hide strings, package names and function identifiers.

These developments reflect a broader shift of ransomware operators toward Linux servers. Since at least June 2021 Hive has attacked more than 30 organisations, and many other groups—including REvil, Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, Hellokitty, Snatch, PureLocker, HelloKitty and Blackmate—have also deployed Linux encryptors, often targeting VMware ESXi virtual machines.

Researchers observe that many of these Linux variants contain bugs that can corrupt victim files during encryption, confirming the trend that ransomware gangs are increasingly focusing on virtualized Linux environments.