[MART] - Daily Diary #432 - SFile Ransomware Targets FreeBSD

CTAS-MAT ctas-mat at appgate.com
Mon Jan 17 19:44:27 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

01/17/2022 - Diary entry #432:

Also known as Escal, SFile is a Ransomware active since 2020, known for targeting only Windows systems. Recently, a variant that targets the FreeBSD operating system was spotted in an attack against a company in China. (Some news outlets refer to a Linux variant. We believe this reflects a confusion between Linux and FreeBSD. While both are Unix-style operating systems used primarily for infrastructure systems, they are distinct, incompatible operating systems).

This new malware variant has some improvements compared with the Windows version. It provides command-line parameters for flexibility during attacks: the number of threads, minimum/maximum file size to encrypt, include/exclude specific file extensions, disable CRC32, disable dropping ransom note, and disable file renaming.

SFile ransomware encrypts files using the Mbed TLS library, choosing RSA-2048 and AES-256 as algorithms. It also has the ability to encrypt files based on their creation/access date. The reason is that recent files are likely more important to the victims and are usually not included in recent backups.

Among recent victims, there are several Chinese companies but the number of attacks is very small compared to other Ransomware gangs. SFile does not have a wall-of-shame blog where Ransomware gangs usually publish their attacks and create direct channels of communication with the victims, like a chat for example. Instead, all the communication is established via email.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
C: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220117/08e7c74c/attachment.htm>

More information about the MART mailing list