Experts warn of attacks using a new Linux variant of SFile ransomware

The operators of the SFile ransomware (aka Escal) have developed a Linux version of their malware to expand their operations.

SFile ransomware (aka Escal), has been active since 2020, it was observed targeting only Windows systems. Some variants of the ransomware append the English name of the target company to the filenames of the encrypted files.

Recently, the Chinese security firm Rising detected a Linux variant of the SFile ransomware that uses the RSA+AES algorithm mode.

“For example, the variant captured this time uses nuctech-gj0okyci (nuctech is the English name of Nuctech Technology Co., Ltd.) as the suffix name. Recently, Rising captured the Linux platform variant of the ransomware.” reads the analysis published by Rising.

Researchers at security firm ESET discovered an SFile ransomware variant supporting the FreeBSD platform that was used in attacks against a partially state-owned company in China.

“The SFile ransomware uses the Mbed TLS library, RSA-2048 and AES-256 algorithms for file encryption. The ransomware does not have its own portal; the attackers communicate with victims via email” reported ESET.

Attacks with the new variant were also confirmed by The Record with MalwareHunterTeam. The ransomware was involved in targeted attacks against corporate and government networks.

Experts pointed out that the Linux version of the SFile ransomware implements a few improvements, the most interesting one is the ability to encrypt files based on their creation/access date. The principle is simple, according to the authors of the malware, recent files may be more important for some victims and typically they are not included in recent backups.

“According to MalwareHunterTeam, the most interesting of these was the ability to encrypt files based on a time range—as a way to encrypt recent files, which may be of more importance for some victims, and typically not included in recent backups.” reported The Record.

The Record pointed out that as early January, the number of SFile ransomware infections is still very small.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.