{
	"id": "d7c3b977-42e3-4dde-b4ba-107db3fb982e",
	"created_at": "2026-04-06T00:15:58.692319Z",
	"updated_at": "2026-04-10T03:21:05.291351Z",
	"deleted_at": null,
	"sha1_hash": "90accc3c59c5dcff8bfd6cb9ba2e1e102cb5b29d",
	"title": "DarkRadiation | Abusing Bash For Linux and Docker Container Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7737262,
	"plain_text": "DarkRadiation | Abusing Bash For Linux and Docker Container\r\nRansomware\r\nBy SentinelOne\r\nPublished: 2021-06-21 · Archived: 2026-04-05 15:01:48 UTC\r\nWhile new ransomware families are a common occurrence these days, a recently discovered ransomware dubbed\r\n‘DarkRadiation’ is especially noteworthy for defenders. First, it targets Linux and Docker cloud containers,\r\nmaking it of particular concern to enterprises. Secondly, DarkRadiation is written entirely in Bash, a feature that\r\ncan make it difficult for some security solutions to identify as a threat. In this post, we’ll take a look at the\r\nDarkRadiation Bash scripts and show how this novel ransomware can be detected.\r\nDarkRadiation appears to have been first noticed in late May by Twitter user @r3dbU7z and was later reported on\r\nby researchers at Trend Micro. It appears to have come to light as part of a set of hacker tools through discovery\r\non VirusTotal.\r\nhttps://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/\r\nPage 1 of 10\n\nAt this time, we have no information on delivery methods or evidence of in-the-wild attacks. However, analysis of\r\nits various components suggest that the actors behind its development intend on using it as a campaign targeting\r\nLinux installs and Docker containers.\r\nThe ransomware uses a complex collection of Bash scripts and at least half a dozen C2s, all of which appear to be\r\ncurrently offline, to communicate with Telegram bots via hardcoded API keys.\r\nhttps://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/\r\nPage 2 of 10\n\nDarkRadiation is part of a larger collection of hacking scripts\r\nThe DarkRadiation scripts have a number of dependencies including wget , curl , sshpass , pssh and\r\nopenssl . If any of these are not available on the infected device, the malware attempts to download the required\r\ntools using YUM (Yellowdog Updater, Modified), a python-based package manager widely adopted by popular\r\nLinux distros such as RedHat and CentOS.\r\nDarkRadiation checks for and installs dependencies\r\nCode artifacts in the same script show the ransomware attempting to stop, disable and delete the\r\n/var/lib/docker directory, used by Docker to store images, containers, and local named volumes. Despite the\r\nname of the function, docker_stop_and_encrypt , it appears that at least in its current form it acts purely as a\r\nwiper for Docker images. However, as other researchers have noted, several versions of these scripts were found\r\non the threat actor’s infrastructure, suggesting that they may be in nascent development and not yet ready for full\r\ndeployment.\r\nhttps://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/\r\nPage 3 of 10\n\nThe ransomware appears to wipe the main Docker directory\r\nIn order to facilitate communication, the ransomware relies on another script, bt_install.sh , to set up and test a\r\nTelegram bot, written to the local file path at \"/usr/share/man/man8/mon.8.gz\" . Fans of the popular science\r\nfiction trilogy “The Matrix” may recognize the test message, “Knock, knock, Neo.” included in the bt_install\r\nshell script.\r\nDarkRadiation threat actors appear to be fans of The Matrix Trilogy\r\nThe same script also installs and enables a service called “griphon” as a way to gain persistence. If the malware\r\nhas been run with admin rights, the service is installed as “griphon.service” at the default\r\n\"/etc/systemd/system/\" path and ensures the Telegram bot is brought up and running each time the device is\r\nre-booted.\r\nhttps://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/\r\nPage 4 of 10\n\nA systemd service called ‘Griphon’ is installed for persistence\r\nThe ExecStart command ensures that the bot is started either on system boot or by manual invocation of the\r\nservice via systemctl .\r\nBash Ransomware Script and Obfuscation\r\nDarkRadiation embedded ransomware note\r\nThe ransomware script exists in several versions called supermicro_cr and crypt . An obfuscated version in\r\nthe attacker’s repository uses a simple technique that we’ve seen before in shell script-based malware, which has\r\nhttps://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/\r\nPage 5 of 10\n\nbeen common on macOS for a while. The technique involves assigning random variables to “chunks” of script\r\ncode.\r\nThe ransomware script is obfuscated with node-bash-obfuscate\r\nComments left in the code in Russian suggest the author used an npm package called node-bash-obfuscate’.\r\nTranslated comments reveal the hacker’s choice of obfuscation tool\r\nDespite the apparent complexity of the obfuscated script, all such scripts can be easily translated back to plain text\r\nsimply by replacing the eval command with echo , which prints the script to stdout without executing it.\r\nOn execution, the script creates a new user with the name “ferrum”. In some versions, the password is\r\ndownloaded from the attacker’s C2 via curl and in others it is hardcoded with strings such as\r\n“$MeGaPass123#” .\r\nhttps://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/\r\nPage 6 of 10\n\nThe ransomware script creates a new user and password\r\nFor the purpose of avoiding accidental discovery, the ransomware writes itself to \"/usr/share/man/man8/\" , a\r\nfolder typically reserved for the man pages associated with System administration controls: in other words, a\r\ndirectory not likely to be traversed by chance even by admin users. Moreover, in order to facilitate privilege\r\nescalation, the script uses a fairly blunt but often wildly effective ‘social engineering’ technique: by simply asking\r\nthe user for the required privileges.\r\nThe execution chain is caught by the SentinelOne agent and reflected in the Management console:\r\nThe chain of execution as seen in the SentinelOne console\r\nIf allowed to execute, the ransomware script uses openssl (one of the dependencies we noted earlier) to encrypt\r\nfiles enumerated via the grep and xargs utilities. Encrypted files are appended with the extension .☢️ , and\r\nthe encryption key is sent to the attacker’s C2 via the Telegram bot.\r\nhttps://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/\r\nPage 7 of 10\n\nopenssl is used for file encryption\r\nHow SentinelOne Deals With DarkRadiation\r\nFor endpoints protected by SentinelOne, DarkRadiation is blocked from the outset, so there’s no risk of any data\r\nbeing encrypted by the malware. As always, it’s safest to have your SentinelOne endpoints use the ‘Protect’ policy\r\nto ensure that threats are killed and quarantined automatically. When this occurs, the Management console gives a\r\nfull report of what processes were killed and quarantined, and shows associated MITRE TTPs in the Threat\r\nIndicators panel.\r\nDarkRadiation MITRE TTPs shown in SentinelOne console\r\nIn the demo video below, we show how SentinelOne deals with DarkRadiation using the Detect-only policy.\r\nConclusion\r\nMalware written in shell script languages allows attackers to be more versatile and to avoid some common\r\ndetection methods. As scripts do not need to be recompiled, they can be iterated upon more rapidly. Moreover,\r\nsince some security software relies on static file signatures, these can easily be evaded through rapid iteration and\r\nthe use of simple obfuscator tools to generate completely different script files.\r\nhttps://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/\r\nPage 8 of 10\n\nHowever, no amount of iteration or obfuscation changes the nature of what the malware actually does on\r\nexecution. Hence, security teams are advised to use a trusted behavioral detection engine such as SentinelOne\r\nSingularity that can detect malicious behavior before it does harm to your Linux systems, servers or Docker\r\ncontainers.\r\nIf you would like to learn more about how SentinelOne can help secure your organization, contact us for more\r\ninformation or request a free demo.\r\nIndicators of Compromise\r\nSHA256/SHA1\r\nsupermicro_cr\r\nd0d3743384e400568587d1bd4b768f7555cc13ad163f5b0c3ed66fdc2d29b810\r\ne437221542112affc30e036921e4395b72fe6504\r\nsupermicro_bt\r\n652ee7b470c393c1de1dfdcd8cb834ff0dd23c93646739f1f475f71a6c138edd\r\n5b231b4d834220bf378d1a64c15cc04eca6ddaf6\r\nsupermicro_cr_third (obfuscated)\r\n9f99cf2bdf2e5dbd2ccc3c09ddcc2b4cba11a860b7e74c17a1cdea6910737b11\r\n1bea1c2715f44fbfe38c80d333dfa5a28921cefb\r\nsupermicro_cr_third (deobfuscated)\r\n654d19620d48ff1f00a4d91566e705912d515c17d7615d0625f6b4ace80f8e3a\r\n83881c44a41f35a054513a4fa68306183100e73b\r\ncrypt3.sh\r\n0243ac9f6148098de0b5f215c6e9802663284432492d29f7443a5dc36cb9aab5\r\n919b574a4d000161e52d57b827976b6d9388b33f\r\ncrypt2_first.sh\r\ne380c4b48cec730db1e32cc6a5bea752549bf0b1fb5e7d4a20776ef4f39a8842\r\n215d777140728b748fc264ef203ebd27b2388666\r\nbt_install.sh\r\nfdd8c27495fbaa855603df4f774fe86bbc21743f59fd039f734feb07704805bd\r\n45b57869e3857b50c1d794baba6ceca2641a7cfa\r\nMITRE ATT\u0026CK\r\nT1027 Obfuscated Files or Information\r\nT1202 Indirect Command Execution\r\nT1082 System Information Discovery\r\nT1083 File and Directory Discovery (System Object Enumeration)\r\nT1486 Data Encrypted for Impact\r\nT1059.004 Command and Scripting Interpreter: Unix Shell\r\nhttps://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/\r\nPage 9 of 10\n\nT1059 Command and Scripting Interpreter\r\nT1014 Rootkits\r\nT1548 Abuse Elevation Control Mechanism\r\nT1543.002 Create or Modify System Process: Systemd Service\r\nSource: https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/\r\nhttps://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/"
	],
	"report_names": [
		"darkradiation-abusing-bash-for-linux-and-docker-container-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434558,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90accc3c59c5dcff8bfd6cb9ba2e1e102cb5b29d.pdf",
		"text": "https://archive.orkl.eu/90accc3c59c5dcff8bfd6cb9ba2e1e102cb5b29d.txt",
		"img": "https://archive.orkl.eu/90accc3c59c5dcff8bfd6cb9ba2e1e102cb5b29d.jpg"
	}
}