New Double-Extortion Ransomware Attacking Linux Machines

Researchers at Symantec dangle identified a brand fresh Linux ransomware variant linked to a bilingual (English and Spanish) double-extortion ransomware crew.

This rising threat poses necessary dangers to organizations by encrypting and exfiltrating sensitive files, tense ransom payments for decryption and knowledge security.

Double extortion ransomware is an especially unpleasant form of cyberattack in which attackers encrypt a victim’s files and elevate sensitive files.

This twin threat affords cybercriminals with extra leverage to count on ransom payments. Not like archaic ransomware assaults that entirely involve files encryption, the added threat of info exfiltration severely heightens the likely wound for organizations across all industries.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Ransomware Behavior

In conserving with the Symantec report, their modus-operandi remains unclear today. The ransomware deposits a ransom expose in /root/README.txt and /user/[username]/README.txt, instructing victims on the next steps.

It forcibly halts serious processes and companies, including PostgreSQL, MongoDB, MySQL, Apache2, Nginx, and PHP-FPM, to make certain that the attack proceeds with out interference.

Furthermore, the /etc/motd file is overwritten with a warning message: “Your files dangle been stolen and encrypted. Read README.txt for added files.”

"Your files have been encrypted and downloaded to our servers. Sus archivos han sido cifrados y descargados a nuestros servidores.  Decryption of your files is not possible without our decryption software. El descifrado de sus archivos no es posible sin nuestro software de descifrado.  We have terabytes of your company data, including employee emails, employee passwords, and customer databases. Tenemos terabytes de datos de su empresa, incluidos correos electrónicos de empleados, contraseñas de empleados y bases de datos de clientes.  To prevent the leaking of this data and to obtain the decryption software, contact us using one of these methods: Para evitar la filtración de estos datos y obtener el software de descifrado, contáctenos utilizando uno de estos métodos:  Session (hxxps[:]//getsession[.]org) ID: [REMOVED] hxxps[:]//getsession[.]org/blog/session-for-beginners" 

The ransom expose in English and Spanish informs victims that their files dangle been encrypted and exfiltrated. It warns that decryption is extremely not going with out the attackers’ tool. It furthermore threatens to leak sensitive firm files, including employee emails, passwords, and buyer databases except contacted via ‘Session’—a privacy-centered messaging app.

Symantec has classified this threat below Ransom.Gen and affords sturdy security thru its Recordsdata Center Security (DCS) solutions.

Suggestions for Organizations

Organizations are commended to:

1. Implement Security Alternate ideas: Deploy complete security solutions to safeguard against ransomware threats.
2. Traditional Backups: Retain typical backups of serious files to make certain that restoration with out paying ransoms.
3. Employee Practising: Educate workers on recognizing phishing makes an are attempting and diversified frequent ransomware transport systems.
4. Network Segmentation: Segment networks to limit the unfold of ransomware in case of an infection.