Uptycs researchers recently discovered a new Linux ransomware that appears to be under active development.
Uptycs Threat Research team has recently observed an Executable and Linkable Format (ELF) ransomware that encrypts the files in Linux systems based on the given folder path. We found that the deleted README note exactly matches the DarkAngels ransomware README note (see Figure 1). DarkAngels ransomware was first seen in May this year when its variants targeted Windows systems. The ELF file we found ourselves is new, but the onion link found in the ransomware binary appears to be down, suggesting that this new Linux-targeted ransomware may still be in development.
Figure 1: DarkAngels ransomware README
The ransomware binary for the observed ELF version (hash: 3b56cea72e8140a7044336933cf382d98dd95c732e5937a0a61e0e7296762c7b) requires a folder as an argument for encryption in the victim system. Once the folder path is specified, it starts encrypting the files present in the folder. The extension used by the attacker is .crypted (see Figure 2).
Figure 2: DarkAngels ransomware in action
The binary uses the pthread_create function to create a new thread. The pthread_create() function starts a new thread in the calling process. The new thread starts execution by calling start_routine()(FUN_0041cf55) (see Figure 3).
Figure 3: pthread usage inside the ransomware binary
The start_routine()(FUN_0041cf55) function (see Figure 4) performs the following steps to encrypt target files:
- Opens the target file and sets the write lock on it with fcntl().
- Closes the target file and then renames it to
- Opens another file with the name
.crypted.README_TO_RESTORE , writes the README content into it and closes it.
.crypted and writes the encrypted content into it with a combination of lseek and write call.
- Also, a list of all encrypted files is saved in a file named wrkman.log.0.
Figure 4: Inside the start_routine
Ransomware families targeting Linux systems or targeting multiple operating systems across platforms are not new. In the past, threat actors have expanded their ransomware campaigns to different operating systems to target more victims. DarkAngels ransomware appears to be still in the development phase with a clear goal of attacking Linux systems.
We may see some new features or improvements in this ransomware family in the future. Uptycs’ threat research team continuously monitors relevant malware campaigns to protect customers and inform the broader security community.
Uptycs researchers added YARA rules for this threat to their Uptycs EDR and shared the Indicator of Compromise on their website:
Follow me on Twitter: @Security questions and Facebook
(security matters – hacking, ransomware)