Researchers at Symantec have identified a new Linux ransomware variant linked to a bilingual (English and Spanish) double-extortion ransomware group.
This emerging threat poses significant risks to organizations by encrypting and exfiltrating sensitive data, demanding ransom payments for decryption and data protection.
Double extortion ransomware is a particularly dangerous type of cyberattack in which attackers encrypt a victim’s data and steal sensitive information.
This dual threat provides cybercriminals with additional leverage to demand ransom payments. Unlike traditional ransomware attacks that solely involve data encryption, the added risk of data exfiltration significantly heightens the potential damage for organizations across all industries.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
Ransomware Behavior
According to the Symantec report, their modus-operandi remains unclear at this time. The ransomware deposits a ransom note in /root/README.txt and /user/[username]/README.txt, instructing victims on the next steps.
It forcibly halts critical processes and services, including PostgreSQL, MongoDB, MySQL, Apache2, Nginx, and PHP-FPM, to ensure the attack proceeds without interference.
Additionally, the /etc/motd file is overwritten with a warning message: “Your files have been stolen and encrypted. Read README.txt for more information.”
"Your files have been encrypted and downloaded to our servers.
Sus archivos han sido cifrados y descargados a nuestros servidores.
Decryption of your files is not possible without our decryption software.
El descifrado de sus archivos no es posible sin nuestro software de descifrado.
We have terabytes of your company data, including employee emails, employee passwords, and customer databases.
Tenemos terabytes de datos de su empresa, incluidos correos electrónicos de empleados, contraseñas de empleados y bases de datos de clientes.
To prevent the leaking of this data and to obtain the decryption software, contact us using one of these methods:
Para evitar la filtración de estos datos y obtener el software de descifrado, contáctenos utilizando uno de estos métodos:
Session (hxxps[:]//getsession[.]org)
ID: [REMOVED]
hxxps[:]//getsession[.]org/blog/session-for-beginners" The ransom note in English and Spanish informs victims that their files have been encrypted and exfiltrated. It warns that decryption is impossible without the attackers’ software. It also threatens to leak sensitive company data, including employee emails, passwords, and customer databases unless contacted via ‘Session’—a privacy-focused messaging app.
Symantec has classified this threat under Ransom.Gen and offers robust protection through its Data Center Security (DCS) solutions.
Recommendations for Organizations
Organizations are advised to:
- Implement Security Solutions: Deploy comprehensive security solutions to safeguard against ransomware threats.
- Regular Backups: Maintain regular backups of critical data to ensure recovery without paying ransoms.
- Employee Training: Educate employees on recognizing phishing attempts and other common ransomware delivery methods.
- Network Segmentation: Segment networks to limit the spread of ransomware in case of an infection.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download