• Home
  • |
  • Blog
  • |
  • How DarkRadiation Ransomware Attacks Targets Linux And Docker Instances?
DarkRadiation Ransomware

Security researchers have observed new ransomware dubbed as “DarkRadiation Ransomware” written in Bash script targets Linux and Docker Instances. For file encryption, ransomware uses OpenSSL’s AES algorithm to encrypt the files in the directory. The ransomware scripts also use the API of the messaging application Telegram for command and control (C2) communication to send an infection status to the threat actor. Let’s see how the new DarkRadiation ransomware attacks target the Linux and Docker containers in detail.

Targets Of DarkRadiation Ransomware Attacks:

Most components of the DarkRadiation ransomware primarily target Red Hat and CentOS Linux distributions. However, researchers also found few scripts written to target Debian-based Linux distributions.

How Attackers Use DarkRadiation Ransomware Against Linux And Docker Instances?

Attackers use various open-source hacking tools to spread and infect the malware on the victims’ networks. These hacking tools contain various reconnaissance tools, bash scripts that help for lateral movement, known exploits of Red Hat and CentOS, binary injectors (libprocesshider rootkit), and more. Cybersecurity researchers also disclosed that some of the scripts are still in the development phase. The concerning fact is that antivirus engines have barely captured most of the tools used here. Research also says that the ransomware scripts are obfuscated with an open-source tool called “node-bash-obfuscate, ” a Node.js CLI tool and library to obfuscate bash scripts.

DarkRadiation ransomware uses OpenSSL’s AES algorithm to encrypt the files on the victim machine. It encrypts either the file with specific extensions or all files in the given directory.

Once the target is infected, attackers use Telegram APIs to communicate with the worm and ransomware scripts. In other words, malware scripts use the Telegram APIs to directly access the attacker’s C2 servers. All thought, it’s not clearly known how the ransomware is delivered to the target for the first time.

Indicators Of Compromise (IOCs) Of DarkRadiation Ransomware:

File Hashes:

Script nameSha256
supermicro_crd0d3743384e400568587d1bd4b768f7555cc13ad163f5b0c3ed66fdc2d29b810
supermicro_bt652ee7b470c393c1de1dfdcd8cb834ff0dd23c93646739f1f475f71a6c138edd
supermicro_cr_third (obfuscated)9f99cf2bdf2e5dbd2ccc3c09ddcc2b4cba11a860b7e74c17a1cdea6910737b11
supermicro_cr_third (deobfuscated)654d19620d48ff1f00a4d91566e705912d515c17d7615d0625f6b4ace80f8e3a
test.sh79aee7a4459d49dc6dfebf1a45d32ccc3769a1e5c1f231777ced3769607ba9c1
downloader.sh.saveda68dc9d5571ef4729adda86f5a21d3f4478ddbae2de937f34f57f450d8a3c76
downloader.sh3bab2947305c00df66cb4d6aaef006f10aca348c17aa2fd28e53363a08b7ec68
crypt3.sh0243ac9f6148098de0b5f215c6e9802663284432492d29f7443a5dc36cb9aab5
crypt2_first.she380c4b48cec730db1e32cc6a5bea752549bf0b1fb5e7d4a20776ef4f39a8842
bt_install.shfdd8c27495fbaa855603df4f774fe86bbc21743f59fd039f734feb07704805bd
binaryinject1.so7a15e51e5dc6a9bfe0104f731e7def854abca5154317198dad73f32e1aead740
exploit4.pyc869261902a1364dd3decb2f8dce54b81621f20abd7204a427a3365c8dcc9d78
exploit3.py503276929ce5c56c626eaa5c3aca0e0160743bf3c8d415042dc3f9bb8c8b44a2
exploit1.py847d0057ade1d6ca0fedc5f48e76dd076fa4611deb77c490899f49701e87b6dd
pwd.c14584a716c5378405cba188dd60cec03571965329f52cfbd8c54116fa2d59377

C&C Server:

  • Malware command and control server:
    • 185[.]141[.]25[.]168
  • Hack tools directory: 
    • hxxps[://]u2wgg22a111ssy[.]space
    • hxxps[://]www[.]0zr33n33fo[.]space
    • hxxp[://]vk-o2vox-n[.]pp[.]ua
    • hxxps[://]m0troppm[.]site
    • hxxps[://]apooow4[.]space
    • hxxps[://]ga345ss34u[.]space

Recommendation To Protect Against DarkRadiation Ransomware Attacks:

  • Block all the IOCs on firewalls, web proxies, and EDR applications.
  • Isolate the suspected machine for further analysis.
  • Initiate the BCP plan.
  • Restore the data with clean backups.
  • Avoid handling files or URL links in emails, chats, or shared folders from untrusted sources.
  • Provide phishing awareness training to your employees/contractors.
  • Keep Anti-malware solutions at the endpoint and network-level updated at all times.
  • Deploy Endpoint Detection & Response (EDR) tools to detect the latest malware and suspicious activities on endpoints.

Thanks for reading the threat post. Please share this post with system admins and the people who use the Linux in their work and make them aware of the DarkRadiation Ransomware attacks.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.