The Hive ransomware group that has been active since mid-2021 reportedly encrypts Linux and FreeBSD with new malware versions designed exclusively for these platforms. 

The Slovak internet security firm ESET revealed that Hive's new encryptors have been under development and require more functionality. During ESET's examination, the Linux edition also turned out to be largely unstable, with encryption collapsing whenever the malware was executed with an explicit route. 

Allowing for a single command-line argument (-no-wipe); Hive's Windows ransomware, on the other hand, has up to five implementation choices, including stopping programs and bypassing disc cleaning, irrelevant data, and older files. 

The Linux variant of the ransomware likewise fails to encrypt when performed without root access since it tries to dump the ransom note on the root file systems of infected computers. "Just like the Windows version, these variants are written in Golang, but the strings, package names, and function names have been obfuscated, likely with gobfuscate," ESET Research Labs said. 

Hive has already infiltrated over 30 organizations, not including victims who declined to pay a ransom. They were amongst several ransomware organizations that have started attacking Linux servers as their business targets gradually shifted to virtual servers for better device management and much more effective resource utilization. Ransomware operators may encode numerous servers with just a single command by targeting virtual machines. 

Security experts eventually identified HelloKitty and BlackMatter ransomware Linux encryptors in the wild in July and August, validating Wosar's claim. 

One month later, it was revealed that a few of these Linux malware variants are also defective and may corrupt victims' data during encryption. Moreover, Snatch and PureLocker ransomware organizations have already employed Linux versions in their attacks.