Experts warn of attacks using a new Linux variant of SFile ransomware

The operators of the SFile ransomware (aka Escal) have developed a Linux version of their malware to expand their operations.

SFile ransomware (aka Escal), has been active since 2020, it was observed targeting only Windows systems. Some variants of the ransomware append the English name of the target company to the filenames of the encrypted files.

Recently, the Chinese security firm Rising detected a Linux variant of the SFile ransomware that uses the RSA+AES algorithm mode.

“For example, the variant captured this time uses nuctech-gj0okyci (nuctech is the English name of Nuctech Technology Co., Ltd.) as the suffix name. Recently, Rising captured the Linux platform variant of the ransomware.” reads the analysis published by Rising.

.AFR-6fyvilv #Sfile #Ransomware
New Sample: 6E029B9B0A600CDC1E75A4F7228B332B pic.twitter.com/tB27dM8tjd

— dnwls0719 (@fbgwls245) January 9, 2022

Researchers at security firm ESET discovered an SFile ransomware variant supporting the FreeBSD platform that was used in attacks against a partially state-owned company in China.

“The SFile ransomware uses the Mbed TLS library, RSA-2048 and AES-256 algorithms for file encryption. The ransomware does not have its own portal; the attackers communicate with victims via email” reported ESET.

#ESETresearch discovered an SFile #ransomware variant for the FreeBSD platform, targeting a partially state-owned company in #China. It encrypts files with the following file extensions @cherepanov74 1/3 pic.twitter.com/miyIlH1IdI

— ESET research (@ESETresearch) December 21, 2021

Attacks with the new variant were also confirmed by The Record with MalwareHunterTeam. The ransomware was involved in targeted attacks against corporate and government networks.

Experts pointed out that the Linux version of the SFile ransomware implements a few improvements, the most interesting one is the ability to encrypt files based on their creation/access date. The principle is simple, according to the authors of the malware, recent files may be more important for some victims and typically they are not included in recent backups.

“According to MalwareHunterTeam, the most interesting of these was the ability to encrypt files based on a time range—as a way to encrypt recent files, which may be of more importance for some victims, and typically not included in recent backups.” reported The Record.

The Record pointed out that as early January, the number of SFile ransomware infections is still very small.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

The post Experts warn of attacks using a new Linux variant of SFile ransomware appeared first on Security Affairs.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt