Cybersecurity Threat Advisory 0046-21: Wormable Ransomware Targeting Linux and Docker instances

Threat Update

A new ransomware built in Bash has been discovered targeting Linux and Docker cloud containers. This malware is built in Bash and has been given the name “DarkRadiation”. There is no currently known information about the delivery methods of this attack. This strain is currently undergoing active development and even includes a worm that tries to spread through the network or across other devices. SKOUT recommends training users to be on the lookout for suspicious links, and to have a proper password policy in place to ensure compromised passwords are not used.

Technical Detail & Additional Information

WHAT IS THE THREAT?

Linux and Docker cloud containers are being targeted by a new ransomware dubbed “DarkRadiation”. This new strain is built in Bash and spreads at an alarming rate, utilizing SSH credentials to spread to other machines. The threat actor compiles data from infected targets using the Telegram messaging service, then encrypts the machines by asking for ransom.

WHY IS IT NOTEWORTHY?

This is especially noteworthy because this strain is under active development. Researchers have found samples of this ransomware with different passwords hardcoded into the files. Furthermore, this script obfuscates itself to evade detection by different endpoint protection solutions. Due to the nature of the language this ransomware strain is written in, it can be changed and deployed faster to be harder to detect as well.

WHAT IS THE EXPOSURE OR RISK?

Once infected, the ransomware stops all Docker containers and takes a snapshot of users logged in periodically. The malware then proceeds to overwrite existing passwords. Organizations should be aware that infected machines may lose all data once encrypted. If the ransomware hits a production server with a Docker container, the company may lose access to that server until remediation efforts are put into motion. Organizations should also be aware that the threat actor may have compiled existing users and passwords, and consider those accounts compromised.

WHAT ARE THE RECOMMENDATIONS?

SKOUT recommends following the best practices below:

  • Block the threat actors C2 channel by blocking the Telegram service and the threat actor malicious IP address: 185.141.25.168
  • Enforce a strong password policy, including a prevention mechanism for reusing passwords.
  • Ensure users are trained to be on the lookout for phishing emails.
  • Have a strong endpoint protection solution in place that can actively stop malicious scripts from executing (e.g SKOUT Endpoint Protection)

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

Leave a Reply

%d bloggers like this: