DarkRadiation Ransomware Threatens Linux Distributions

It is not a surprise that the majority of malware released on the Internet targets Windows computers exclusively. After all, this is the most widely used operating system in the world. However, UNIX-based operating systems have also been targeted by threat actors more and more often. Mac users no longer feel as safe as they used to be a few years ago, and the same might apply to Linux users as well. Some modern malware families target specific Linux distributions, and today's post focuses on such threat – the DarkRadiation Ransomware.

DarkRadiation Ransomware Focuses on Red Hat and CentOS

The DarkRadiation Ransomware's creators are unknown, but they seem to be familiar with the ins and outs of Red Hat and CentOS, the two Linux distributions that this malware targets. The attack involves multiple stages, and the attackers leverage a custom-built worm, as well as public tools to obfuscate the malicious bash scripts they use. According to cybersecurity researchers, the DarkRadiation Ransomware undergoes frequent updates, and they have identified dozens of different versions of the file-locker. The majority of these versions, however, had minor differences between one another.

The criminals are relying on a simple SSH worm script to brute-force SSH keys and passwords that are not complex enough. If a connection is established successfully, the worm component will deploy the DarkRadiation Ransomware and proceed with the attack.   

While the ultimate purpose of the DarkRadiation Ransomware is to encrypt the victim's data and then extort them for money, it also does some pretty fascinating things on the side. For starters, it has an obfuscated bash script, which serves the purpose of:

  • Setting the passwords of all existing users to megapassword.
  • Creating a new user called ferrum with the password MegPw0rD3.
  • Delete all other users apart from ferrum.

Once a file is locked, the ransomware applies an interesting extension to it – a radioactive icon (☢.) It then terminates all Docker instances and spawns the ransom note in a new terminal window. During this whole process, the DarkRadiation Ransomware and the SSH worm will report to the attacker by using a Telegram bot.

The DarkRadiation Ransomware is not considered to be decryptable, and the only reliable recovery option for its victims is to restore the lost files from a backup.

June 21, 2021