Radiation Warnings: New DarkRadiation Ransomware Raising Alarms
Posted by: GuidePoint Security
A new ransomware strain dubbed DarkRadiation is causing concern for security professionals. The code is written in the Bash command and control language and targets Linux and Docker cloud containers. According to researchers, the ransomware uses Open SSL’s AES algorithm with CBC mode to encrypt files. The ransomware also adds the symbol for radioactivity to encrypted file names. When executed, the ransomware checks to confirm it is run as a root; and then if it has these permissions, it confirms whether Wget, cURL, and OpenSSL are installed. If these tools are not installed, the ransomware then downloads and installs them. The ransomware may also attempt to install a python-based package manager known as YUM if Wget, cURL, or OpenSSL aren’t available.
The malicious Bash script enables the ransomware operator to identify logged-in users on a Unix computer system using the ‘who’ command, checking every five seconds for new users, can retrieve a list of all available users. It can also overwrite all existing user passwords and then delete all existing users and shell users. The malware can also disable all active Docker containers.
Currently, it’s unknown whether there have been active attacks involving DarkRadiation. Researchers continue to monitor the malware activity.
Check out our other blog posts from this past week.
GuidePoint Security