Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Another Ransomware For Linux Likely In Development

Uptycs researchers recently spotted a new Linux ransomware that appears to be under active development. The Uptycs Threat Research team recently observed an Executable and Linkable Format (ELF) ransomware which encrypts the files inside Linux systems based on the given folder path. We observed that the dropped README note matches exactly with the DarkAngels ransomware […]

Linux ransomware

Uptycs researchers recently spotted a new Linux ransomware that appears to be under active development.

The Uptycs Threat Research team recently observed an Executable and Linkable Format (ELF) ransomware which encrypts the files inside Linux systems based on the given folder path. We observed that the dropped README note matches exactly with the DarkAngels ransomware README note (see Figure 1). The DarkAngels ransomware was first seen this year during the month of May, in which its variants targeted Windows systems. The ELF file we found itself is new, but the Onion link found in the ransomware binary appears to be down, indicating that this new Linux-targeted ransomware might still be under development.

Linux ransomware

Figure 1: DarkAngels ransomware README 

Technical Overview

The ransomware binary for the ELF version observed (hash: 3b56cea72e8140a7044336933cf382d98dd95c732e5937a0a61e0e7296762c7b) requires a folder as an argument for the encryption in the victim system. Once the folder path is given, it starts encrypting files present inside the folder. The extension used by the threat actor is .crypted (see Figure 2). 

Linux ransomware

Figure 2: DarkAngels ransomware in action

The binary uses the pthread_create function for creating a new thread. The pthread_create() function starts a new thread in the calling process. The new thread starts execution by invoking start_routine()(FUN_0041cf55) (see Figure 3).

Linux ransomware


Figure 3: pthread usage inside the ransomware binary

The start_routine()(FUN_0041cf55) (see Figure 4) function performs the following steps to encrypt target files:

  • Opens the target file and sets the write lock on it using fcntl().
  • Closes the target file and then renames it to <target_file>.crypted.
  • Opens another file by the name <target_file>.crypted.README_TO_RESTORE ,writes the README content into that and closes it.
  • Opens <target_file>.crypted and writes the encrypted content to it using combination of lseek and write call.
  • Also, a list of all the encrypted files gets stored in a file named wrkman.log.0.
Linux ransomware 4

Figure 4: Inside the start_routine

Conclusion

Ransomware families targeting Linux systems or going cross-platform to target multiple OSes is not new. In the past, the threat actors have expanded their ransomware campaigns across OS flavors in order to target more victims. The DarkAngels ransomware appears to still be in a development phase, with a clear goal to target Linux systems. 

We may see some new features or advancements in this family of ransomware in the future. The Uptycs Threat Research team is continuously monitoring related malware campaigns to safeguard customers and inform the broader security community. 

Uptycs researchers added YARA rules for this threat to its Uptycs EDR and shared Indicator of Compromise on their website:

https://www.uptycs.com/blog/another-ransomware-for-linux-likely-in-development

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]