Experts warn of attacks using a new Linux variant of SFile ransomware

Pierluigi Paganini January 17, 2022

The operators of the SFile ransomware (aka Escal) have developed a Linux version of their malware to expand their operations.

SFile ransomware (aka Escal), has been active since 2020, it was observed targeting only Windows systems. Some variants of the ransomware append the English name of the target company to the filenames of the encrypted files.

Recently, the Chinese security firm Rising detected a Linux variant of the SFile ransomware that uses the RSA+AES algorithm mode.

“For example, the variant captured this time uses nuctech-gj0okyci (nuctech is the English name of Nuctech Technology Co., Ltd.) as the suffix name. Recently, Rising captured the Linux platform variant of the ransomware.” reads the analysis published by Rising.

Researchers at security firm ESET discovered an SFile ransomware variant supporting the FreeBSD platform that was used in attacks against a partially state-owned company in China.

“The SFile ransomware uses the Mbed TLS library, RSA-2048 and AES-256 algorithms for file encryption. The ransomware does not have its own portal; the attackers communicate with victims via email” reported ESET.

Attacks with the new variant were also confirmed by The Record with MalwareHunterTeam. The ransomware was involved in targeted attacks against corporate and government networks.

Experts pointed out that the Linux version of the SFile ransomware implements a few improvements, the most interesting one is the ability to encrypt files based on their creation/access date. The principle is simple, according to the authors of the malware, recent files may be more important for some victims and typically they are not included in recent backups.

“According to MalwareHunterTeam, the most interesting of these was the ability to encrypt files based on a time range—as a way to encrypt recent files, which may be of more importance for some victims, and typically not included in recent backups.” reported The Record.

The Record pointed out that as early January, the number of SFile ransomware infections is still very small.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment