01flip: Multi-Platform Ransomware Written in Rust
Summary:
The financially motivated threat activity cluster, tracked as CL-CRI-1036, centers on a new, multi-platform ransomware family named 01flip. This ransomware is notable for being entirely written in the modern Rust programming language, allowing for seamless cross-compilation targeting both Windows and Linux operating systems. Victims observed thus far are a limited set of organizations in the Asia-Pacific region, including entities within critical infrastructure sectors, with potential targeting noted in the Philippines and Taiwan.
The initial access vector for this campaign relies on the exploitation of older, internet-facing application vulnerabilities, such as CVE-2019-11580. Following initial compromise, the attackers, who operate with a "hands-on" approach, deploy the open-source adversary emulation framework Sliver for command and control (C2), which facilitates reconnaissance and lateral movement. Subsequently, they deploy 01flip to encrypt files using AES-128-CBC and an embedded RSA-2048 key, renaming them with the .01flip extension. The malware implements minimal defense evasion by encoding strings and including an anti-sandbox check. For extortion, the attackers demand 1 Bitcoin (BTC), and while they do not operate a dedicated leak site, an alleged data leak from a victim organization was posted on a dark web forum, indicating a potential double-extortion scheme.
Security Officer Comments:
Low-confidence overlap with the LockBit ransomware group exists due to an unusual file extension exclusion, and the campaign may be linked to a Russian-speaking threat actor selling data/access on the XSS dark web forum since 2020. This activity underscores the escalating threat posed by attackers leveraging modern, sophisticated languages for cross-platform malware development. The increasing use of modern, cross-platform languages like Rust in sophisticated malware, such as 01flip, presents a significant challenge for defenders, particularly given the initial low detection rate of the Linux variant. This trend requires a shift in defensive focus from signature-based detection to behavioral analysis of TTPs. Furthermore, the reliance on older, unpatched vulnerabilities like CVE-2019-11580 for initial access confirms that basic patch management failures remain the easiest entry point for highly skilled, hands-on groups who use advanced C2 frameworks like Sliver. The data theft aspect is also critical, as 01flip lacks exfiltration capabilities, confirming that the attackers used other tools, likely via Sliver C2, to steal data before the encryption phase.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/
The financially motivated threat activity cluster, tracked as CL-CRI-1036, centers on a new, multi-platform ransomware family named 01flip. This ransomware is notable for being entirely written in the modern Rust programming language, allowing for seamless cross-compilation targeting both Windows and Linux operating systems. Victims observed thus far are a limited set of organizations in the Asia-Pacific region, including entities within critical infrastructure sectors, with potential targeting noted in the Philippines and Taiwan.
The initial access vector for this campaign relies on the exploitation of older, internet-facing application vulnerabilities, such as CVE-2019-11580. Following initial compromise, the attackers, who operate with a "hands-on" approach, deploy the open-source adversary emulation framework Sliver for command and control (C2), which facilitates reconnaissance and lateral movement. Subsequently, they deploy 01flip to encrypt files using AES-128-CBC and an embedded RSA-2048 key, renaming them with the .01flip extension. The malware implements minimal defense evasion by encoding strings and including an anti-sandbox check. For extortion, the attackers demand 1 Bitcoin (BTC), and while they do not operate a dedicated leak site, an alleged data leak from a victim organization was posted on a dark web forum, indicating a potential double-extortion scheme.
Security Officer Comments:
Low-confidence overlap with the LockBit ransomware group exists due to an unusual file extension exclusion, and the campaign may be linked to a Russian-speaking threat actor selling data/access on the XSS dark web forum since 2020. This activity underscores the escalating threat posed by attackers leveraging modern, sophisticated languages for cross-platform malware development. The increasing use of modern, cross-platform languages like Rust in sophisticated malware, such as 01flip, presents a significant challenge for defenders, particularly given the initial low detection rate of the Linux variant. This trend requires a shift in defensive focus from signature-based detection to behavioral analysis of TTPs. Furthermore, the reliance on older, unpatched vulnerabilities like CVE-2019-11580 for initial access confirms that basic patch management failures remain the easiest entry point for highly skilled, hands-on groups who use advanced C2 frameworks like Sliver. The data theft aspect is also critical, as 01flip lacks exfiltration capabilities, confirming that the attackers used other tools, likely via Sliver C2, to steal data before the encryption phase.
Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/