Symantec recently identified a new variant of Linux ransomware, linked to a double-extortion group that operates in both English and Spanish. The specific tactics and procedures used by the threat actors remain unclear at this time. However, the observed behavior of the ransomware shows distinct patterns, such as dropping ransom notes in files located in both the root directory and within the victim’s user-specific directories. These notes contain instructions for the victims and provide details on how to engage with the attackers.
One of the key characteristics of this ransomware is its ability to halt critical processes and services, including PostgreSQL, MongoDB, MySQL, Apache2, Nginx, and PHP-FPM, to ensure the attack proceeds without interruption. The threat actors also overwrite the /etc/motd file, which serves as a warning to the victim. It informs them that their files have been encrypted, urging them to review the ransom note for further instructions. The ransomware then proceeds to encrypt files on the system.
The ransom note itself is written in both English and Spanish, reflecting the bilingual nature of the attackers. The note informs the victim that their files have been downloaded to the attackers’ servers and that decryption is not possible without the proprietary software controlled by the threat actors. It also claims that the attackers have stolen significant amounts of sensitive company data, including emails, passwords, and customer databases, and threatens to leak this information unless the victim complies.
To facilitate communication, the ransom note instructs victims to contact the attackers via Session, a privacy-focused messaging platform that ensures anonymous and secure exchanges. The attackers provide links to download the app, along with an ID and additional instructions for its use. These ransom demands align with typical double-extortion tactics, where data theft is combined with encryption, putting further pressure on organizations to meet the demands.
Reference: