{
	"id": "c89d5406-26cb-4371-8f64-e7ed4a4904e5",
	"created_at": "2026-04-10T03:21:29.340609Z",
	"updated_at": "2026-04-10T03:22:17.651895Z",
	"deleted_at": null,
	"sha1_hash": "ce28408ce0f8dc0da9dac14927ffc302ee26cf66",
	"title": "The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 153513,
	"plain_text": "The Platform Matters: A Comparative Study on Linux and\r\nWindows Ransomware Attacks\r\nBy etal\r\nPublished: 2023-11-21 · Archived: 2026-04-10 02:51:54 UTC\r\nResearch by: Marc Salinas Fernandez\r\nKey Points\r\nCheck Point Research (CPR) provides a case study of some of the most recent ransomware attacks\r\ntargeting Linux systems and ESXi systems which have been increasing over the last few years.\r\nAlthough we have long been aware of similar ransomware threats in Windows environments, the versions\r\ntargeting Linux are still relatively simpler.\r\nThe release of Babuk’s source code in 2021 has clearly facilitated the emergence of a multitude of\r\nransomware families.\r\nMany of the families that target Linux heavily utilize the OpenSSL library along with ChaCha20/RSA and\r\nAES/RSA algorithms.\r\nIntroduction\r\nDuring the last few months, we conducted a study of some of the top ransomware families (12 in total) that either\r\ndirectly developed ransomware for Linux systems or were developed in languages with a strong cross-platform\r\ncomponent, such as Golang or Rust, thereby allowing them to be compiled for both Windows and Linux\r\nindiscriminately.\r\nOur main objectives were to increase our understanding of the main motivations for developing ransomware\r\ntargeting Linux instead of Windows systems, which historically have been the main target until now. We also tried\r\nto identify the main similarities and differences between the ransomware developed by these families and compare\r\nthem to the ransomware developed for Microsoft systems.\r\nBrief History\r\nTo compare the ransomware families developed for Linux and those targeting Windows, we first need to focus on\r\nthe historical evolution of both systems.\r\nFigure 1 - Linux ransomware families.\r\nFigure 1 – Linux ransomware families.\r\nFigure 2 - Windows ransomware families.\r\nFigure 2 – Windows ransomware families.\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 1 of 24\n\nTo begin with, we should note that the first attributable ransomware sample (albeit in a very early stage) dates\r\nback to 1989. This threat, known as AIDS, was propagated through floppy disks and targeted Windows systems.\r\nIt was not until GPCode in 2004 that we started to see the first malware families that truly resembled what we are\r\nused to seeing today when we talk about ransomware. All these families focused on Windows environments, and\r\nsoon the ransomware threat started to evolve, such as improved encryption schemes, as seen in Archiveus in\r\n2006, or the appearance of Reveton in 2012 as the first RaaS.\r\nIt was not until 2015, with Linux.Encoder.1, that we began to see ransomware families focused specifically on\r\nLinux. By this time, these threats were already highly developed for Windows systems. Despite the level of\r\nmaturity that these threats show in Windows, the reality is that in many aspects this has not translated into a direct\r\ntransfer of all these capabilities to Linux. Instead, we have been seeing how these threats undergo the same stages\r\nof evolution in these other systems.\r\nIn fact, although there was already ransomware for Linux in 2015, it remained relatively insignificant until the last\r\nfew years, when we began to see a huge proliferation of these threats. Starting in 2020 and continuing through to\r\nthe present, we have begun to observe a worrying increase in attackers’ interest in these systems, with the\r\nappearance of Linux versions of the major RaaS and cross-platform samples developed in languages such as\r\nGolang or Rust.\r\nTechnical overview\r\nOf the families currently targeting Linux-based operating systems, we analyzed some of the most recent ones:\r\nMaori\r\nCl0p\r\nCylance\r\nRoyal\r\nViceSociety\r\nIceFire\r\nBlackCat\r\nESXiArgs\r\nRorschach\r\nMonti\r\nLockBit\r\nGwisinLocker\r\nOne of the first things we noticed in the samples we analyzed is the extent to which the tool itself is simplified in\r\nmany cases, leaving only minimal capabilities and content within the binary, and in some cases reducing them to\r\nonly the file encryption code. This leaves the sample very dependent on external configurations, scripts or\r\ncommand lines to configure its targets. One of the most notable examples is Cl0p, which only has the encryption\r\ncapability, and the only parameter it supports is a path to encrypt.\r\nIn the ransomware family named “ESXiArgs” the binary itself does not even have the RSA public key embedded\r\nbut needs the path to a file containing the key as a parameter so it can carry out the encryption. This sample\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 2 of 24\n\ndoesn’t even have the ability to encrypt a whole directory; the attacker has to iterate over every file with a script\r\nexecuting the encryptor. In fact, the malware name was given due to the TTPs of the actors that use this malware,\r\nwhich is very oriented to this type of system, although the capabilities of the binary itself are totally generic.\r\nMany of the Linux-oriented ransomwares have so little logic apart from the encryption capacity that detecting\r\nthem can be challenging, as all their code is based on the same crypto code that many other legitimate applications\r\nmay contain. A communication protocol with a server, the execution of some commands to prepare the system for\r\nthe encryption, the ability to create some kind of persistence (found on many of the most active Windows\r\nfamilies), or even an embedded configuration are, in many cases, anomalous elements that could help to enable\r\nmore elaborate detections ofthe malware, but which do not exist in most of these ransomware families.\r\nOf course, there are some exceptions such as BlackCat, which is a cross-platform sample and has Windows-specific functionalities such as deleting shadow copies or searching for shared folders. Or GwisinLocker, which\r\nhas an embedded encrypted configuration that allows it to work without the need for parameters and act more\r\nindependently.\r\nThe primary and most notable motivation is undoubtedly the special interest in ESXi virtualization systems. This\r\nmakes a lot of sense, as by attacking these systems, the attackers can greatly impact multiple services and\r\nmachines (all virtualized using this technology) by focusing only on this ESXi server instead of trying to pivot on\r\nseveral different computers and servers running Windows. This is probably why the vast majority of the Linux-targeting ransomware families, despite having very few capabilities apart from the encryption itself, tend to run\r\nspecific commands aimed at interacting with ESXi systems, in particular:\r\nFigure 3 – Subset diagram on Linux ransomware families.\r\nFigure 3 – Subset diagram on Linux ransomware families.\r\nIt is important to point out that since ESXi systems are not exactly the same as Linux systems, the different\r\nsamples released contain the necessary libraries statically linked so that they can run independently on both\r\nsystems. We have also found samples of the same family compiled specifically for each of the different systems.\r\nA very common pattern in all Linux-centric families is that they tend to focus on specific technologies, which are\r\nlinked mainly to the main infection path for this type of threat in these systems. Unlike what we are accustomed to\r\nin families that target Windows, such as Ryuk or REvil whose intrusions are often initiated through phishing\r\ncampaigns to many users, one of the most common infection chains for Linux is exploiting a vulnerability in some\r\nexposed service of the victim’s servers. This is also true for vulnerabilities in ESXi, but there are also other cases,\r\nsuch as IceFire which exploits a vulnerability in an IBM technology (CVE-2022-47986) or Cl0p whose Linux\r\nversion has among its target directories several paths related to Oracle databases along with the generic ones of a\r\nLinux system.\r\nInfection Vector\r\nIn the Windows environment, ransomware actors employ a wide range of infection vectors to breach systems.\r\nMany of the most aggressive Windows-targeting ransomware reach the victim’s infrastructure via phishing\r\nemails containing malicious attachments (commonly using macros inside documents) or links. For\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 3 of 24\n\nexample, Emotet was often the initial payload delivered, and the full infection of the victim’s infrastructure ended\r\nwith the deployment of a Ryuk or Sodinokibi sample.\r\nAlong with phishing emails, in the past the use of exploit kits like Rig and Magnitude to exploit vulnerabilities in\r\nsoftware such as browsers or plugins led to ransomware execution (much less common these days).\r\nAnother common infection vector is the exploitation or brute-forcing of Remote Desktop Protocol (RDP) servers\r\nexposed to the internet.\r\nIf we try to perform this same analysis with respect to ransomware families developed for Linux systems, we can\r\nquickly see how the scenario changes. Many of these systems are deployed for the purpose of running services\r\nthat are exposed to the Internet, services in which vulnerabilities are eventually found to be particularly critical, as\r\nthey can allow access to an organization’s network.\r\nThe exploitation of vulnerabilities found on exposed services is one of ransomware’s main means of infection.\r\nIt is worth noting that the Kill Chain in these cases often involves the deployment of a Webshell that ends up being\r\nthe tool that initially allows them to access and take control of the server in question.\r\nGaining access with stolen credentials, for example, using SSH, is another growing area. Credentials are often\r\nstolen as the result of leaks caused by other malware infections or as a result of lateral movement by the same\r\ninfection that involves the entire network of Windows systems.\r\nIn these cases, detection within Linux systems is very complicated, as attackers often use internal system accounts\r\nand legitimate tools to access systems instead of backdoors, with a very similar impact as the use of LoLbins on\r\nWindows systems.\r\nAnother common entry to Linux systems is similar to what happens in Windows systems with the RDP service,\r\nthe scanning of different exposed services, and the subsequent brute force attacks trying to gain access to the\r\nservers through weak credentials. This is a much “noisier” technique, but still effective, and is becoming difficult\r\nto identify since the access is through legitimate credentials obtained from the exposed service itself.\r\nIt is interesting to note that, if we focus on all the common infection vectors for Linux servers, each pattern targets\r\nexposed servers and critical services. Once again, we can see that the Linux-targeting ransomware attacks are\r\nmuch more focused on organizations and companies than on general users.\r\nCode Reuse\r\nAs in many malware families of other types of threats (like Mirai or Quasar), as soon as the source code of a\r\nsuccessful threat is published, other opportunistic groups rapidly appear and try to take advantage of this code to\r\ncreate their own tools through small (and in some cases not so small) modifications. In the case of Linux\r\nransomware, the most notable is Babuk ransomware, of which we can find, among many others,\r\nthe Cylance or Rorschach samples.\r\nFigure 4 – Code overlaps on Babuk based families\r\nFigure 4 – Code overlaps on Babuk based families\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 4 of 24\n\nAlong with the problem that this fact implies, since many actors with fewer resources or technical capacity\r\nquickly get a functional tool, we have at least the advantage that, in many cases, the detection of the initial tool\r\ncan allow us to detect all the sub-families that may appear from this source code.\r\nPersistence in the system\r\nPersistence is not as big a factor in ransomware as it is in other types of threats because once the victim’s files and\r\ndirectories are encrypted, another execution in the same system is largely meaningless. However, the kill chain of\r\nthis type of malware has indeed evolved greatly, especially in Windows environments, as the aim is not to encrypt\r\na single computer but to spread to others. In most cases, the attackers’ objective is to compromise the entire\r\ninfrastructure bit by bit. Once they have taken control, the entire AD forest is encrypted, for example, by means of\r\na GPO, or the most critical computers are encrypted to increase the attackers’ chances of receiving the ransom\r\npayment.\r\nPrior to the execution of the ransomware, a whole series of threats and tools that allow the attackers to access the\r\nsystems is executed. These do require persistence as the compromise of the entire infrastructure can take a long\r\ntime. However, while this is the most common scenario, there are cases where the threat itself has its own ability\r\nto establish persistence.\r\nIn Windows environments, ransomware achieves persistence through various means. The most notable examples\r\ninclude Registry Manipulation, like the case of WannaCry and Ryuk, that ensures their payloads execute\r\nduring system startup, along with the use of Scheduled Tasks, like the case of many threat actors\r\nbehind Sodinokibi (REvil), which leveraged the Windows Task Scheduler to create malicious tasks, ensuring\r\nransomware execution at regular intervals.\r\nAnother common way for gaining persistence on Windows systems is Service Creation, which is the most\r\nrestrictive as it requires administrator permissions on the victim’s computer but is one of the most commonly used\r\nin more advanced stages of infection in which the attackers already obtained the necessary credentials and have\r\nsome control over the infrastructure.\r\nIn ESXi and Linux systems it is much less common to see ransomware employing many of the known methods\r\nfor persistence usually exploited by other kinds of threats. After access, the vulnerable server is directly encrypted\r\nand, in many cases, such as Lockbit, ESXiArgs, BlackCat, or Gwisin, the malware has the ability to self-delete\r\nafter execution.\r\nThe deployment of Webshells as part of the infection process should also be considered as maintaining\r\npersistence. The Webshells act as backdoors and allow the actors to maintain access to these servers after reboots\r\nor changes of any kind. In scenarios where servers are accessed through lateral movement during a more complex\r\ncompromise, persistence in this case is mostly reduced to the creation of user accounts or the exfiltration of\r\noriginal server credentials, which allows the attackers to maintain access through legitimate services such as\r\nSSH.\r\nFinally, given the clear evolution of incidents related to Linux systems compared to Windows systems, sooner or\r\nlater the deployment of backdoors such as Merlin or Poseidon , like what is now happening on Windows with\r\nCobalt Strike, will become more common. Therefore, attackers need to take advantage of techniques more similar\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 5 of 24\n\nto those we see in Windows systems, such as Cron Jobs (the equivalent of the Windows Task Scheduler) or\r\nexecutions such as Daemons (equivalents of Windows Services), to gain persistence.\r\nPrimary Objectives\r\nIn the area of victim typology and targets of Linux-oriented ransomware, we see some of the biggest differences\r\nwith respect to their Windows counterparts. First of all, we must take into account the context in which each of\r\nthese systems is found. Windows is more prevalent in personal computers for individuals and in user workstations\r\nfor most organizations. However, in the field of servers, the situation is not so clear, especially for certain types of\r\ndeployments using Linux, which is often the only effective option.\r\nThis means that just as we can easily find multiple ransomware families for Windows focused on individuals and\r\nendpoints, this is a lot less common for Linux systems. Ransomware targeting Linux is much more clearly\r\noriented towards exposed servers or servers on the internal network that is accessed by pivoting from infections\r\ninitiated on Windows machines.\r\nAs a result, Linux ransomware is clearly aimed at medium and large organizations compared to Windows\r\nthreats, which are much more general in nature.\r\nIn the same way, the internal structure of both systems also causes differences in how attackers approach the\r\nselection of folders and files to encrypt. We can find listings in many Linux-oriented samples that aim to avoid\r\ndirectories such as /boot, /etc, or /sys that could cause the system to become corrupted, just as we are used to\r\nseeing Windows malware avoiding the or directories.\r\nIn the absence of a configuration within Windows malware that contains targets, it indiscriminately traverses all\r\nthe system disks. In Linux malware, it is much more common to find threats completely dependent on a\r\nparameter or configuration that provides one or more target directories, without which the threat does not\r\nexecute. Some examples of this include Royal, Monti, Cylance or Lockbit.\r\nThe difference in the management of extensions in Linux and Windows also generates somewhat curious behavior\r\nfrom attackers. One such case is Cl0p that uses the characters “.” in an attempt to differentiate files from folders.\r\nThis is very effective in Windows, but that does not necessarily work well in Linux given the little relevance that\r\nextensions have in this system.\r\nFigure 5 – Usage of “.” for extensions by Cl0p ransomware\r\nFigure 5 – Usage of “.” for extensions by Cl0p ransomware\r\nIn any case, although many of them are completely dependent on a parameter at least indicating a path to encrypt,\r\nit is not present in all families, and for other samples, it is a remarkable fact that apart from very specific cases for\r\npaths related to ESXi or CL0p with Oracle paths “ /u01 /u02 /u03 /u04 ”, the  /home  and  /root  folders are\r\nthe most recurrent in configurations, followed by  /opt  that appears in certain cases.\r\nExfiltration\r\nIn Linux, exfiltration is usually connected to the infection vector. In cases where the infection occurred using\r\nstolen credentials, access is generally gained using legitimate tools such as the SSH service, which at the same\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 6 of 24\n\ntime allows all types of information to be extracted from the servers without the need to deploy other tools.\r\nLikewise, in many scenarios in which the exploitation of a vulnerability to gain access to servers is linked to the\r\ndeployment of a Webshell, something similar occurs as the majority of Webshells, along with the ability to\r\nexecute Linux commands, have their own capabilities for uploading and downloading files from the victim\r\nserver. Therefore, they are often also used as a tool to carry out exfiltration.\r\nIn Windows systems, the use of RDP, WinSCP, or RClone could be similar to the use of SSH or other legitimate\r\ntools such as Curl or Wget in Linux. Something very common in Windows, and not so common in Linux, is the\r\nuse of more complex threats such as past threats Trickbot or Emotet, or the use of CobaltStrike or other post-exploitation frameworks for this purpose. As we suggested in our discussion of persistence, it is very likely that as\r\nransomware samples mature, the TTPs of the actors will also mature, and we will end up seeing this scenario in\r\nLinux with the use of backdoors such as Merlin or Poseidon.\r\nIt is worth noting that this aspect is becoming highly relevant.Ransomware groups have been exploiting double\r\nextortion for some time now since they not only hijack files but also threaten to expose their victims’ sensitive\r\ninformation on their leak sites. In fact, several prominent groups, such as Cl0p, have already carried out\r\ncampaigns in which they have directly skipped the encryption tool to focus solely on the theft of information\r\nfor subsequent extortion.\r\nImpact on the system\r\nDuring a ransomware incident, one of the critical points, both at the detection and forensic level, is the impact of\r\nthe attackers on the system beyond the encryption itself. In Windows environments, we are very used to tight\r\nmonitoring of commands aimed at deleting ShadowCopies, disabling backups in general, and attempting to\r\ndisable or bypass security tools. The execution of commands aimed at shutting down target services, such as\r\ndatabases, is relatively common as well, as this allows the threat to encrypt most of the critical files, thereby\r\nincreasing the pressure on the victim to pay the ransom.\r\nIn Linux systems, the concern for backups as well as the shutdown of security tools is not yet as common as it is\r\nwith Windows. However, we can find some elements that impact the system that can help with early detection if\r\nproper monitoring is maintained. The first example, which is also common in Windows environments, is a Mutex,\r\ncreated by many threats before starting the encryption to avoid simultaneous executions that can corrupt files\r\nwithout the possibility of return. In the same way that generating a certain specific mutex in Windows acts as a\r\n“vaccine” for some families, in Linux, we have samples such as Lockbit, which by default generates a file called\r\n/tmp/locker.pid that, in case it is already in the system at the time of execution, causes the immediate termination\r\nof the process (regardless of whether the process that previously generated it was the ransomware itself).\r\nSimilar to what happens in Windows, some families generate less repetitive files, as in the case of Gwisin, whose\r\ngenerated Mutex file is much more random: /tmp/.66486f04-bf24-4f5e-ae16-0af0fdb3d8fe.\r\nA much simpler and less effective version when it comes to detection are the log files. It is not uncommon to find\r\nsamples from real campaigns that, during encryption, generate files with debug information, such\r\nas HelloKitty ransomware or Monti, which generate work.log and result.txt files respectively, with information\r\non their execution and encryption, and whose internal strings are very characteristic of both families. However, it\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 7 of 24\n\nshould be noted that the existence of these files does not prevent their execution in any case, as occurs with\nMutex.\nWith respect to the execution of commands that can be monitored, the only really noteworthy case is the one\nconcerning virtualization on ESXi systems. As we discussed previously, most Linux-oriented ransomware samples\nhave an ESXi version or are compiled in such a way that they are directly compatible. This is why obtaining the\nlist of running machines as well as the ability to stop them to allow encryption is really common in these samples.\nSome examples of this include the Royal Ransomware:\nFigure 6 – Esxi commands embedded on Royal ransomware\n\n**Monti** Ransomware:\nFigure 6 – Esxi commands embedded on Royal ransomwareMonti Ransomware:\nFigure 7 - Esxi commands embedded on Monti ransomware\nFigure 7 – Esxi commands embedded on Monti ransomware\nor Gwisin and BlackCat ransomwares:\nPlain text\nCopy to clipboard\nOpen code in new window\nEnlighterJS 3 Syntax Highlighter\nesxcli --formatter=csv --format-param=fields==\"DisplayName,WorldID\" vm process list\nesxcli vm process kill --type=force --world-id=\nesxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list\nesxcli vm process kill --type=force --world-id=\nesxcli --formatter=csv --format-param=fields==\"DisplayName,WorldID\" vm process list esxcli vm process kill --\ntype=force --world-id= esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list\nesxcli vm process kill --type=force --world-id=\nesxcli --formatter=csv --format-param=fields==\"DisplayName,WorldID\" vm process list\nesxcli vm process kill --type=force --world-id=\nesxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list\nesxcli vm process kill --type=force --world-id=\nThe monitoring of this type of execution can be of real interest, as if they occur, it is moments before the\nencryption, which allows us to anticipate the encryption, and possibly detect and act upon it in time.\nCryptographic Scheme\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\nPage 8 of 24\n\nFinally, we have the core part of this type of threat, i.e., the crypto that comes into play for each ransomware\r\nthreat. In Windows, we are very used to seeing how in some cases, like Conti, this part is delegated to the\r\nWindows APIs themselves. In many others, the malware uses many different crypto libraries like CryptoPP\r\n(e.g., PYSA Ransomware), mbedtls (e.g., Petya) and libgcrypt (e.g., Moneybird).\r\nAmong the samples for Linux systems, it is much simpler as the use of the OpenSSL library to perform all crypto\r\ntasks predominates in almost half of the samples. In fact, several of the most well-known families have this library\r\nstatically linked in the binary itself, representing more than 50% of the threat code. There are still some edge cases\r\nwhere the malware is developed in Golang or Rust, where the native libraries/modules for each language\r\npredominate.\r\nIn terms of algorithms, on Windows, it gets a bit more difficult to observe patterns since there are many different\r\nalgorithms used among the huge variety of known families, while ChaCha20 and RSA slightly predominate over\r\nthe rest. When more uncommon libraries or algorithms are used, it ends up in design flaws on the threat, with its\r\nconsequent public decryptor.\r\nUnsurprisingly, a smaller number of variants can be found in the Linux world. The majority of these samples\r\nprimarily rely on AES for encryption, with ChaCha20 being the most common alternative in several families. As\r\nfor asymmetric encryption algorithms, RSA takes precedence in the vast majority of cases, occupying a secondary\r\nrole.\r\nAs in all the above points, there are exceptions. ESXiArgs employs Sosemanuk for symmetric encryption, while\r\nthe “smartest” of them, Cl0p, employs RC4 with an embedded key at the point where asymmetric encryption is\r\ntypically utilized. This approach renders file decryption trivial without the need for payment.\r\nAt the end of the day, threat actors, especially in this field, prioritize efficiency because the faster the threat is able\r\nto cover all the target files, the less options are available for defense.  Reliability is the second consideration, and\r\ntherefore they use robust libraries and algorithms to reduce the number of design flaws that may allow security\r\nresearchers to break their encryption. These two factors cause the different actors to create relatively uniform\r\ntools, which helps us gain insight into the tools and priorities used, which in turn enables us to more easily detect\r\nthis type of threat.\r\nConclusions\r\nOur analysis of various Linux-targeting ransomware families reveals an interesting trend towards simplification,\r\nwhere their core functionalities are often reduced to just basic encryption processes, thereby leaving the rest of the\r\nwork to scripts and legitimate system tools. This minimalist approach not only renders them heavily reliant on\r\nexternal configurations and scripts but also makes them more difficult to detect.\r\nOur research also showed some of the distinctive strategies among ransomware families, with a clear focus on\r\nESXi systems but with other technologies too. The ransomware main entry vectors are vulnerabilities in exposed\r\nservices, which in some cases are precisely the most relevant services and, therefore, the main targets for this type\r\nof threat.\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 9 of 24\n\nComparing the ransomware encryption techniques between Windows systems and Linux, the malware families\r\nthat target Linux favor OpenSSL as the main library used and AES as a common encryption cornerstone, with\r\nRSA serving as the primary asymmetric choice. All of this provides a relative uniformity of tools among the\r\ndifferent threat actors.\r\nCheck Point customers remain protected against the threats covered by this research while using Check\r\nPoint Harmony Endpoint , and Threat Emulation – which provide comprehensive coverage of attack tactics\r\nand file-types.\r\nRansomware.Wins.HelloKitty.ta.D\r\nRansomware.Wins.GwisinLocker.ta.A\r\nRansomware.Wins.Clop.ta.I\r\nRansomware.Wins.Royal.ta.B\r\nRansomware.Wins.IceFire.ta.A\r\nRansomware.Wins.Monti.ta.A\r\nRansomware.Wins.ESXi.ta.B\r\nRansomware.Wins.Babuk.ta.A\r\nRansomware.Wins.LockBit.ta.AK\r\nRansomware.Wins.BlackCat.ta.M\r\nRansomware_Linux_BlackCat_A, Ransomware_Linux_BlackCat_B\r\nRansomware_Linux_Maori_A, Ransomware_Linux_Maori_B\r\nRansomware_Linux_Clop_A, Ransomware_Linux_Clop_B\r\nRansomware_Linux_Cylance_A, Ransomware_Linux_Cylance_B\r\nRansomware_Linux_Royal_A, Ransomware_Linux_Royal_B\r\nRansomware_Linux_ViceSociety_A, Ransomware_Linux_ViceSociety_B\r\nRansomware_Linux_IceFire_A, Ransomware_Linux_IceFire_B\r\nRansomware_Linux_Esxiargs_A, Ransomware_Linux_Esxiargs_B\r\nRansomware_Linux_Monti_A, Ransomware_Linux_Monti_B\r\nRansomware_Linux_Lockbit_E, Ransomware_Linux_Lockbit_F\r\nRansomware_Linux_GwisinLocker_A, Ransomware_Linux_GwisinLocker_B\r\nRansomware_Linux_Babuk_A, Ransomware_Linux_Babuk_B\r\nRansomware_Linux_HelloKitty_C, Ransomware_Linux_HelloKitty_D\r\nYara rules\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nrule linux_Babuk_ransomware {\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 10 of 24\n\nmeta:\r\nauthor = \"Marc Salinas @ CheckPoint Research\"\r\ndescription = \"Detects samples of the Linux ransomware family Babuk\"\r\nmalware_family = \"Babuk\"\r\ndate = \"09/08/2023\"\r\nhash1 = \"b711579e33b0df2143c7cb61246233c7f9b4d53db6a048427a58c0295d8daf1c\"\r\nhash1 = \"d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c\"\r\nstrings:\r\n$str1 = \"Statistic:\"\r\n$str2 = \"Encrypted files: %d\"\r\n$str3 = \"Usage: %s /path/to/be/encrypted\"\r\n$bablock1 = \".x1x2x3\"\r\n$bablock2 = \"/_r_e_a_d_m_e.txt\"\r\n$cylance1 = \".Cylance\"\r\n$cylance2 = \"CYLANCE_README.txt\"\r\n$orig1 = \"How To Restore Your Files.txt\"\r\n$orig2 = \".babyk\"\r\ncondition:\r\nuint32(0) == 0x464c457f and (all of ($str*) or all of ($cylance*) or all of ($bablock*) or all of ($orig*))\r\n}\r\nrule linux_ESXi_ransomware {\r\nmeta:\r\nauthor = \"Marc Salinas @ CheckPoint Research\"\r\ndescription = \"Detects samples of the Linux ransomware family ESXi\"\r\nmalware_family = \"ESXi\"\r\ndate = \"09/08/2023\"\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 11 of 24\n\nhash1 = \"11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66\"\r\nstrings:\r\n$usage = \"usage: encrypt \u003cpublic_key\u003e \u003cfile_to_encrypt\u003e [\u003cenc_step\u003e] [\u003cenc_size\u003e] [\u003cfile_size\u003e]\"\r\n$coms1 = \"init_libssl returned %d\\n\"\r\n$coms2 = \"encrypt_file\"\r\n$coms3 = \"encrypt_simple\"\r\n$coms4 = \"lseek [start]\"\r\n$cde1 = {48 8B 85 80 FD FF FF 48 01 85 50 FF FF FF 48 8B 8D 38 FF FF FF C7 85 28 FD FF FF 67 66 66 66\r\nC7 85 2C FD FF FF 66 66 66 66 48 8B 85 28 FD FF FF 48 F7 E9 48 C1 FA 02 48 89 C8 48 C1 F8 3F 48 89 D3\r\n48 29 C3 48 89 9D 40 FD FF FF 48 8B 85 40 FD FF FF 48 C1 E0 02 48 03 85 40 FD FF FF 48 01 C0 48 89 CA\r\n48 29 C2 48 89 95 40 FD FF FF 48 83 BD 40 FD FF FF 00}\r\n$cde2 = {48 8B 85 30 FD FF FF 48 D1 E8 48 8B 95 30 FD FF FF 83 E2 01 48 09 D0 F2 48 0F 2A C0 66 0F 28\r\nC8 F2 0F 58 C8 F2 0F 11 8D 48 FD FF FF}\r\n$cde3 = {F2 0F 10 05 15 6F 00 00 F2 0F 59 85 48 FD FF FF F2 0F 11 85 28 FF FF FF 48 8B 85 48 FF FF FF 48\r\n89 85 50 FD FF FF 48 83 BD 50 FD FF FF 00}\r\ncondition:\r\nuint32(0) == 0x464c457f and ( $usage or 3 of ($coms*) or 1 of ($cde*) )\r\n}\r\nrule linux_Monti_ransomware {\r\nmeta:\r\nauthor = \"Marc Salinas @ CheckPoint Research\"\r\ndescription = \"Detects samples of the Linux ransomware family Monti\"\r\nmalware_family = \"Monti\"\r\ndate = \"09/08/2023\"\r\nhash1 = \"edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1\"\r\nstrings:\r\n$str1 = \"Total encrypted: %s\\n\"\r\n$str2 = \"Encrypting %s\\n\"\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 12 of 24\n\n$str3 = \"Cannot rename file %s\\n\"\r\n$str4 = \"fork() error.\"\r\n$cde = {55 48 89 E5 48 83 EC 50 48 89 7D B8 48 89 75 B0 48 C7 45 C0 7F 44 4E 00 48 C7 45 C8 81 44 4E 00\r\n48 C7 45 D0 84 44 4E 00 48 C7 45 D8 87 44 4E 00 48 C7 45 E0 8A 44 4E 00 C6 45 F3 05 C7 45 F4 00 00 00 00\r\n48 8B 45 B8 48 85 C0}\r\ncondition:\r\nuint32(0) == 0x464c457f and ( $cde or all of ($str*))\r\n}\r\nrule linux_IceFire_ransomware {\r\nmeta:\r\nauthor = \"Marc Salinas @ CheckPoint Research\"\r\ndescription = \"Detects samples of the Linux ransomware family IceFire\"\r\nmalware_family = \"IceFire\"\r\ndate = \"09/08/2023\"\r\nhash1 = \"e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b\"\r\nstrings:\r\n$str1 = \"iFire.pid\"\r\n$str2 = \"-----BEGIN RSA PUBLIC KEY-----\"\r\n$str3 = \"ComSpec=C:\\\\Windows\\\\syste\"\r\n$str4 = \"./boot./dev./etc./lib./proc./srv./sys./usr./var./run\"\r\n$str5 = \"Do not try to recover files yourself\"\r\ncondition:\r\nuint32(0) == 0x464c457f and 3 of ($str*)\r\n}\r\nrule linux_Royal_ransomware {\r\nmeta:\r\nauthor = \"Marc Salinas @ CheckPoint Research\"\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 13 of 24\n\ndescription = \"Detects samples of the Linux ransomware family Royal\"\r\nmalware_family = \"Royal\"\r\ndate = \"09/08/2023\"\r\nhash1 = \"b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c\"\r\nstrings:\r\n$str1 = \"Testing RSA encryption\"\r\n$str2 = \"-vmonly\"\r\n$str3 = \"Most likely what happened was that you decided to save some money\"\r\n$cde1 = {48 8D 85 30 FF FF FF BA 90 00 00 00 BE 00 00 00 00 48 89 C7 ?? ?? ?? ?? ?? 48 8D 85 30 FF FF FF\r\n48 89 C6 BF E8 0D 58 00 ?? ?? ?? ?? ?? 48 8B 85 60 FF FF FF 48 85 C0}\r\n$cde2 = {48 8B 85 60 FF FF FF 48 89 C2 48 8B 4D D0 8B 45 CC 48 89 CE 89 C7 ?? ?? ?? ?? ?? 83 F0 01 84\r\nC0}\r\n$cde3 = {48 8D 85 30 FA FF FF 41 B8 00 00 00 00 48 89 C1 BA DD 0D 58 00 BE E0 0D 58 00 BF E0 0D 58 00\r\nB8 00 00 00 00 ?? ?? ?? ?? ?? BF 00 00 00 00 }\r\ncondition:\r\nuint32(0) == 0x464c457f and ( 2 of ($str*) or 1 of ($cde*))\r\n}\r\nrule linux_BlackCat_ransomware {\r\nmeta:\r\nauthor = \"Marc Salinas @ CheckPoint Research\"\r\ndescription = \"Detects samples of the Linux ransomware family BlackCat\"\r\nmalware_family = \"BlackCat\"\r\ndate = \"09/08/2023\"\r\nhash1 = \"e2dcd1eaf59e7e10b9dfeedc6f2b0678efac7907f17ee8b4e8791c39c1fbaa58\"\r\nstrings:\r\n$str1 = \"no-vm-kill-names\"\r\n$str2 = \"safeboot-network\"\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 14 of 24\n\n$str3 = \"NO_VM_KILL_NAMES\"\r\n$str4 = \"Preparing Logger\"\r\n$str5 = \"already borrowed\"\r\n$str6 = \"/cargo/registry/src/github.com\"\r\ncondition:\r\nuint32(0) == 0x464c457f and 4 of ($str*)\r\n}\r\nrule linux_HelloKitty_ransomware {\r\nmeta:\r\nauthor = \"Marc Salinas @ CheckPoint Research\"\r\ndescription = \"Detects samples of the Linux ransomware family HelloKitty\"\r\nmalware_family = \"HelloKitty\"\r\ndate = \"09/08/2023\"\r\nhash1 = \"754f2022b72da704eb8636610c6d2ffcbdae9e8740555030a07c8c147387a537\"\r\nstrings:\r\n$str1 = \"cr:%d f:%s\\n\"\r\n$str2 = \"cr:%d l:%d f:%s\\n\"\r\n$str3 = \"Done:%s file size:%lu crypt size:%lu \\n \"\r\n$str4 = \"All your important documents, photos, databases were stolen\"\r\n$str5 = \".README_TO_RESTORE\"\r\n$str6 = \"libcrypto.so not found \\n try to find manual and make link to libcrypto.so \\n\"\r\n$str7 = \"Usage:%s [-m (10-20-25-33-50) ] Start Path \\n\"\r\n$str8 = \"Error InitAPI !!!\\nExit\\n\"\r\ncondition:\r\nuint32(0) == 0x464c457f and 4 of ($str*)\r\n}\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 15 of 24\n\nrule linux_Lockbit_ransomware {\r\nmeta:\r\nauthor = \"Marc Salinas @ CheckPoint Research\"\r\ndescription = \"Detects samples of the Linux ransomware family Lockbit\"\r\nmalware_family = \"Lockbit\"\r\ndate = \"09/08/2023\"\r\nhash1 = \"472836ed669d3927d50055e801048696375b37fce03b2f046e3e1039fb88e048\"\r\nstrings:\r\n$cde1 = {31 FF 41 BE 01 00 00 00 ?? ?? ?? ?? ?? 4C 89 E7 48 89 44 24 18 ?? ?? ?? ?? ?? BA F1 B0 64 00 48 89\r\nC1 BE 14 00 00 00 48 89 E7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 89 D9 48 89 C2 48 89 E6 BF C0 BB 64 00 31 C0}\r\n$cde2 = {55 BE 60 BA 64 00 53 48 89 FB 48 81 EC 08 04 00 00 48 89 E7 48 89 E5 ?? ?? ?? ?? ?? BE 15 5F 43\r\n00 48 89 E7 ?? ?? ?? ?? ?? BE 6C BA 64 00 48 89 E7 ?? ?? ?? ?? ?? BE 15 5F 43 00 48 89 E7 ?? ?? ?? ?? ?? BE\r\n74 BA 64 00 48 89 E7 ?? ?? ?? ?? ?? BE 10 5F 43 00 48 89 DF }\r\n$cde3 = {48 83 C3 01 ?? ?? ?? ?? ?? 48 29 EB 48 98 31 D2 48 F7 F3 48 8B 5C 24 08 48 8D 04 2A 48 8B 6C 24\r\n10 48 83 C4 18 C3}\r\ncondition:\r\nuint32(0) == 0x464c457f and 1 of ($cde*)\r\n}\r\nrule linux_GwisinLocker_ransomware {\r\nmeta:\r\nauthor = \"Marc Salinas @ CheckPoint Research\"\r\ndescription = \"Detects samples of the Linux ransomware family GwisinLocker\"\r\nmalware_family = \"GwisinLocker\"\r\ndate = \"09/08/2023\"\r\nhash1 = \"7594bf1d87d35b489545e283ef1785bb2e04637cc1ff1aca9b666dde70528e2b\"\r\nstrings:\r\n$str1 = \"error: option `--%s` %s\\n\"\r\n$str2 = \"Usage: %s\"\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 16 of 24\n\n$str3 = \"c.d/%s* stop\"\r\n$str4 = \"show this help message and exit\"\r\n$ext = \".mcrgnx\"\r\n$hex = {66 30 66 64 62 33 64 38}\r\n$cde1 = {48 8B 74 24 08 31 FF ?? ?? ?? ?? ?? 48 85 C0 49 89 C7 0F 94 C1 41 83 FD 01 41 89 DD 0F 94 C0 08\r\nC1}\r\n$cde2 = {41 54 55 53 48 81 EC 30 01 00 00 48 89 E5 48 89 EF ?? ?? ?? ?? ?? 48 8D 7C 24 20 B9 21 00 00 00 48\r\n89 EA 48 8D 35 36 8B 00 00 F3 48 A5 8B 06 BE 0E 01 00 00 89 07 0F B7 05 2F 8C 00 00 66 89 47 04 48 8D 7C\r\n24 20}\r\ncondition:\r\nuint32(0) == 0x464c457f and ( (2 of ($str*) and ($ext or $hex)) or 1 of ($cde*) )\r\n}\r\nrule linux_Cl0p_ransomware {\r\nmeta:\r\nauthor = \"Marc Salinas @ CheckPoint Research\"\r\ndescription = \"Detects samples of the Linux ransomware family Cl0p\"\r\nmalware_family = \"Cl0p\"\r\ndate = \"09/08/2023\"\r\nhash1 = \"09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef\"\r\nstrings:\r\n$str1 = \"C_I_0P\"\r\n$str3 = \"README_C_I_0P.TXT\"\r\n$str4 = \"OR WRITE TO THE CHAT AT-\u003e\"\r\n$cde1 = {55 89 E5 57 81 EC 24 02 00 00 8D 8D F8 FE FF FF BA A4 83 10 08 B8 FC 00 00 00 89 44 24 08 89 54\r\n24 04 89 0C 24 ?? ?? ?? ?? ?? 8B 45 08 89 44 24 08 C7 44 24 04 8C 83 10 08 8D 85 F8 FD FF FF 89 04 24 ?? ??\r\n?? ?? ?? 8D 85 F8 FE FF FF B9 FF FF FF FF 89 85 E8 FD FF FF B8 00 00 00 00 FC 8B BD E8 FD FF FF F2 AE\r\n89 C8 F7 D0 83 E8 01 89 45 F8 C7 44 24 08 B4 01 00 00 C7 44 24 04 42 00 00 00 8D 85 F8 FD FF FF 89 04 24\r\n?? ?? ?? ?? ?? 89 45 F4 8B 45 F8 89 44 24 08 8D 85 F8 FE FF FF 89 44 24 04 8B 45 F4 89 04 24 ?? ?? ?? ?? ??\r\n8B 45 F4 89 04 24 ?? ?? ?? ?? ?? 81 C4 24 02 00 00 5F 5D C3}\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 17 of 24\n\n$cde2 = {8D 95 0B FF FF FF B8 75 00 00 00 89 44 24 08 C7 44 24 04 00 00 00 00 89 14 24 ?? ?? ?? ?? ?? C7 45\r\nF4 00 00 00 00}\r\ncondition:\r\nuint32(0) == 0x464c457f and 1 of them\r\n}\r\nrule linux_Babuk_ransomware { meta: author = \"Marc Salinas @ CheckPoint Research\" description = \"Detects\r\nsamples of the Linux ransomware family Babuk\" malware_family = \"Babuk\" date = \"09/08/2023\" hash1 =\r\n\"b711579e33b0df2143c7cb61246233c7f9b4d53db6a048427a58c0295d8daf1c\" hash1 =\r\n\"d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c\" strings: $str1 = \"Statistic:\" $str2 =\r\n\"Encrypted files: %d\" $str3 = \"Usage: %s /path/to/be/encrypted\" $bablock1 = \".x1x2x3\" $bablock2 =\r\n\"/_r_e_a_d_m_e.txt\" $cylance1 = \".Cylance\" $cylance2 = \"CYLANCE_README.txt\" $orig1 = \"How To Restore\r\nYour Files.txt\" $orig2 = \".babyk\" condition: uint32(0) == 0x464c457f and (all of ($str*) or all of ($cylance*) or\r\nall of ($bablock*) or all of ($orig*)) } rule linux_ESXi_ransomware { meta: author = \"Marc Salinas @\r\nCheckPoint Research\" description = \"Detects samples of the Linux ransomware family ESXi\" malware_family =\r\n\"ESXi\" date = \"09/08/2023\" hash1 =\r\n\"11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66\" strings: $usage = \"usage: encrypt\r\n\u003cpublic_key\u003e \u003cfile_to_encrypt\u003e [\u003cenc_step\u003e] [\u003cenc_size\u003e] [\u003cfile_size\u003e]\" $coms1 = \"init_libssl returned %d\\n\"\r\n$coms2 = \"encrypt_file\" $coms3 = \"encrypt_simple\" $coms4 = \"lseek [start]\" $cde1 = {48 8B 85 80 FD FF FF 48\r\n01 85 50 FF FF FF 48 8B 8D 38 FF FF FF C7 85 28 FD FF FF 67 66 66 66 C7 85 2C FD FF FF 66 66 66 66 48\r\n8B 85 28 FD FF FF 48 F7 E9 48 C1 FA 02 48 89 C8 48 C1 F8 3F 48 89 D3 48 29 C3 48 89 9D 40 FD FF FF 48\r\n8B 85 40 FD FF FF 48 C1 E0 02 48 03 85 40 FD FF FF 48 01 C0 48 89 CA 48 29 C2 48 89 95 40 FD FF FF 48\r\n83 BD 40 FD FF FF 00} $cde2 = {48 8B 85 30 FD FF FF 48 D1 E8 48 8B 95 30 FD FF FF 83 E2 01 48 09 D0 F2\r\n48 0F 2A C0 66 0F 28 C8 F2 0F 58 C8 F2 0F 11 8D 48 FD FF FF} $cde3 = {F2 0F 10 05 15 6F 00 00 F2 0F 59\r\n85 48 FD FF FF F2 0F 11 85 28 FF FF FF 48 8B 85 48 FF FF FF 48 89 85 50 FD FF FF 48 83 BD 50 FD FF FF\r\n00} condition: uint32(0) == 0x464c457f and ( $usage or 3 of ($coms*) or 1 of ($cde*) ) } rule\r\nlinux_Monti_ransomware { meta: author = \"Marc Salinas @ CheckPoint Research\" description = \"Detects\r\nsamples of the Linux ransomware family Monti\" malware_family = \"Monti\" date = \"09/08/2023\" hash1 =\r\n\"edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1\" strings: $str1 = \"Total encrypted:\r\n%s\\n\" $str2 = \"Encrypting %s\\n\" $str3 = \"Cannot rename file %s\\n\" $str4 = \"fork() error.\" $cde = {55 48 89 E5 48\r\n83 EC 50 48 89 7D B8 48 89 75 B0 48 C7 45 C0 7F 44 4E 00 48 C7 45 C8 81 44 4E 00 48 C7 45 D0 84 44 4E 00\r\n48 C7 45 D8 87 44 4E 00 48 C7 45 E0 8A 44 4E 00 C6 45 F3 05 C7 45 F4 00 00 00 00 48 8B 45 B8 48 85 C0}\r\ncondition: uint32(0) == 0x464c457f and ( $cde or all of ($str*)) } rule linux_IceFire_ransomware { meta: author =\r\n\"Marc Salinas @ CheckPoint Research\" description = \"Detects samples of the Linux ransomware family IceFire\"\r\nmalware_family = \"IceFire\" date = \"09/08/2023\" hash1 =\r\n\"e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b\" strings: $str1 = \"iFire.pid\" $str2 = \"--\r\n---BEGIN RSA PUBLIC KEY-----\" $str3 = \"ComSpec=C:\\\\Windows\\\\syste\" $str4 =\r\n\"./boot./dev./etc./lib./proc./srv./sys./usr./var./run\" $str5 = \"Do not try to recover files yourself\" condition: uint32(0)\r\n== 0x464c457f and 3 of ($str*) } rule linux_Royal_ransomware { meta: author = \"Marc Salinas @ CheckPoint\r\nResearch\" description = \"Detects samples of the Linux ransomware family Royal\" malware_family = \"Royal\"\r\ndate = \"09/08/2023\" hash1 = \"b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c\"\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 18 of 24\n\nstrings: $str1 = \"Testing RSA encryption\" $str2 = \"-vmonly\" $str3 = \"Most likely what happened was that you\r\ndecided to save some money\" $cde1 = {48 8D 85 30 FF FF FF BA 90 00 00 00 BE 00 00 00 00 48 89 C7 ?? ?? ??\r\n?? ?? 48 8D 85 30 FF FF FF 48 89 C6 BF E8 0D 58 00 ?? ?? ?? ?? ?? 48 8B 85 60 FF FF FF 48 85 C0} $cde2 =\r\n{48 8B 85 60 FF FF FF 48 89 C2 48 8B 4D D0 8B 45 CC 48 89 CE 89 C7 ?? ?? ?? ?? ?? 83 F0 01 84 C0} $cde3\r\n= {48 8D 85 30 FA FF FF 41 B8 00 00 00 00 48 89 C1 BA DD 0D 58 00 BE E0 0D 58 00 BF E0 0D 58 00 B8 00\r\n00 00 00 ?? ?? ?? ?? ?? BF 00 00 00 00 } condition: uint32(0) == 0x464c457f and ( 2 of ($str*) or 1 of ($cde*)) }\r\nrule linux_BlackCat_ransomware { meta: author = \"Marc Salinas @ CheckPoint Research\" description = \"Detects\r\nsamples of the Linux ransomware family BlackCat\" malware_family = \"BlackCat\" date = \"09/08/2023\" hash1 =\r\n\"e2dcd1eaf59e7e10b9dfeedc6f2b0678efac7907f17ee8b4e8791c39c1fbaa58\" strings: $str1 = \"no-vm-kill-names\"\r\n$str2 = \"safeboot-network\" $str3 = \"NO_VM_KILL_NAMES\" $str4 = \"Preparing Logger\" $str5 = \"already\r\nborrowed\" $str6 = \"/cargo/registry/src/github.com\" condition: uint32(0) == 0x464c457f and 4 of ($str*) } rule\r\nlinux_HelloKitty_ransomware { meta: author = \"Marc Salinas @ CheckPoint Research\" description = \"Detects\r\nsamples of the Linux ransomware family HelloKitty\" malware_family = \"HelloKitty\" date = \"09/08/2023\" hash1\r\n= \"754f2022b72da704eb8636610c6d2ffcbdae9e8740555030a07c8c147387a537\" strings: $str1 = \"cr:%d f:%s\\n\"\r\n$str2 = \"cr:%d l:%d f:%s\\n\" $str3 = \"Done:%s file size:%lu crypt size:%lu \\n \" $str4 = \"All your important\r\ndocuments, photos, databases were stolen\" $str5 = \".README_TO_RESTORE\" $str6 = \"libcrypto.so not found\r\n\\n try to find manual and make link to libcrypto.so \\n\" $str7 = \"Usage:%s [-m (10-20-25-33-50) ] Start Path \\n\"\r\n$str8 = \"Error InitAPI !!!\\nExit\\n\" condition: uint32(0) == 0x464c457f and 4 of ($str*) } rule\r\nlinux_Lockbit_ransomware { meta: author = \"Marc Salinas @ CheckPoint Research\" description = \"Detects\r\nsamples of the Linux ransomware family Lockbit\" malware_family = \"Lockbit\" date = \"09/08/2023\" hash1 =\r\n\"472836ed669d3927d50055e801048696375b37fce03b2f046e3e1039fb88e048\" strings: $cde1 = {31 FF 41 BE 01\r\n00 00 00 ?? ?? ?? ?? ?? 4C 89 E7 48 89 44 24 18 ?? ?? ?? ?? ?? BA F1 B0 64 00 48 89 C1 BE 14 00 00 00 48 89\r\nE7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 89 D9 48 89 C2 48 89 E6 BF C0 BB 64 00 31 C0} $cde2 = {55 BE 60 BA 64\r\n00 53 48 89 FB 48 81 EC 08 04 00 00 48 89 E7 48 89 E5 ?? ?? ?? ?? ?? BE 15 5F 43 00 48 89 E7 ?? ?? ?? ?? ??\r\nBE 6C BA 64 00 48 89 E7 ?? ?? ?? ?? ?? BE 15 5F 43 00 48 89 E7 ?? ?? ?? ?? ?? BE 74 BA 64 00 48 89 E7 ?? ??\r\n?? ?? ?? BE 10 5F 43 00 48 89 DF } $cde3 = {48 83 C3 01 ?? ?? ?? ?? ?? 48 29 EB 48 98 31 D2 48 F7 F3 48 8B\r\n5C 24 08 48 8D 04 2A 48 8B 6C 24 10 48 83 C4 18 C3} condition: uint32(0) == 0x464c457f and 1 of ($cde*) }\r\nrule linux_GwisinLocker_ransomware { meta: author = \"Marc Salinas @ CheckPoint Research\" description =\r\n\"Detects samples of the Linux ransomware family GwisinLocker\" malware_family = \"GwisinLocker\" date =\r\n\"09/08/2023\" hash1 = \"7594bf1d87d35b489545e283ef1785bb2e04637cc1ff1aca9b666dde70528e2b\" strings:\r\n$str1 = \"error: option `--%s` %s\\n\" $str2 = \"Usage: %s\" $str3 = \"c.d/%s* stop\" $str4 = \"show this help message\r\nand exit\" $ext = \".mcrgnx\" $hex = {66 30 66 64 62 33 64 38} $cde1 = {48 8B 74 24 08 31 FF ?? ?? ?? ?? ?? 48 85\r\nC0 49 89 C7 0F 94 C1 41 83 FD 01 41 89 DD 0F 94 C0 08 C1} $cde2 = {41 54 55 53 48 81 EC 30 01 00 00 48\r\n89 E5 48 89 EF ?? ?? ?? ?? ?? 48 8D 7C 24 20 B9 21 00 00 00 48 89 EA 48 8D 35 36 8B 00 00 F3 48 A5 8B 06\r\nBE 0E 01 00 00 89 07 0F B7 05 2F 8C 00 00 66 89 47 04 48 8D 7C 24 20} condition: uint32(0) == 0x464c457f\r\nand ( (2 of ($str*) and ($ext or $hex)) or 1 of ($cde*) ) } rule linux_Cl0p_ransomware { meta: author = \"Marc\r\nSalinas @ CheckPoint Research\" description = \"Detects samples of the Linux ransomware family Cl0p\"\r\nmalware_family = \"Cl0p\" date = \"09/08/2023\" hash1 =\r\n\"09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef\" strings: $str1 = \"C_I_0P\" $str3 =\r\n\"README_C_I_0P.TXT\" $str4 = \"OR WRITE TO THE CHAT AT-\u003e\" $cde1 = {55 89 E5 57 81 EC 24 02 00 00\r\n8D 8D F8 FE FF FF BA A4 83 10 08 B8 FC 00 00 00 89 44 24 08 89 54 24 04 89 0C 24 ?? ?? ?? ?? ?? 8B 45 08\r\n89 44 24 08 C7 44 24 04 8C 83 10 08 8D 85 F8 FD FF FF 89 04 24 ?? ?? ?? ?? ?? 8D 85 F8 FE FF FF B9 FF FF\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 19 of 24\n\nFF FF 89 85 E8 FD FF FF B8 00 00 00 00 FC 8B BD E8 FD FF FF F2 AE 89 C8 F7 D0 83 E8 01 89 45 F8 C7 44\r\n24 08 B4 01 00 00 C7 44 24 04 42 00 00 00 8D 85 F8 FD FF FF 89 04 24 ?? ?? ?? ?? ?? 89 45 F4 8B 45 F8 89 44\r\n24 08 8D 85 F8 FE FF FF 89 44 24 04 8B 45 F4 89 04 24 ?? ?? ?? ?? ?? 8B 45 F4 89 04 24 ?? ?? ?? ?? ?? 81 C4\r\n24 02 00 00 5F 5D C3} $cde2 = {8D 95 0B FF FF FF B8 75 00 00 00 89 44 24 08 C7 44 24 04 00 00 00 00 89 14\r\n24 ?? ?? ?? ?? ?? C7 45 F4 00 00 00 00} condition: uint32(0) == 0x464c457f and 1 of them }\r\nrule linux_Babuk_ransomware {\r\n meta:\r\n author = \"Marc Salinas @ CheckPoint Research\"\r\n description = \"Detects samples of the Linux ransomware family Babuk\"\r\n malware_family = \"Babuk\"\r\n date = \"09/08/2023\"\r\n hash1 = \"b711579e33b0df2143c7cb61246233c7f9b4d53db6a048427a58c0295d8daf1c\"\r\n hash1 = \"d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c\"\r\n strings:\r\n $str1 = \"Statistic:\"\r\n $str2 = \"Encrypted files: %d\"\r\n $str3 = \"Usage: %s /path/to/be/encrypted\"\r\n $bablock1 = \".x1x2x3\"\r\n $bablock2 = \"/_r_e_a_d_m_e.txt\"\r\n $cylance1 = \".Cylance\"\r\n $cylance2 = \"CYLANCE_README.txt\"\r\n $orig1 = \"How To Restore Your Files.txt\"\r\n $orig2 = \".babyk\"\r\n condition:\r\n uint32(0) == 0x464c457f and (all of ($str*) or all of ($cylance*) or all of ($bablock*) or al\r\n}\r\nrule linux_ESXi_ransomware {\r\n meta:\r\n author = \"Marc Salinas @ CheckPoint Research\"\r\n description = \"Detects samples of the Linux ransomware family ESXi\"\r\n malware_family = \"ESXi\"\r\n date = \"09/08/2023\"\r\n hash1 = \"11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66\"\r\n strings:\r\n $usage = \"usage: encrypt \u003cpublic_key\u003e \u003cfile_to_encrypt\u003e [\u003cenc_step\u003e] [\u003cenc_size\u003e] [\u003cfile_size\r\n $coms1 = \"init_libssl returned %d\\n\"\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 20 of 24\n\n$coms2 = \"encrypt_file\"\r\n $coms3 = \"encrypt_simple\"\r\n $coms4 = \"lseek [start]\"\r\n $cde1 = {48 8B 85 80 FD FF FF 48 01 85 50 FF FF FF 48 8B 8D 38 FF FF FF C7 85 28 FD FF FF 67\r\n $cde2 = {48 8B 85 30 FD FF FF 48 D1 E8 48 8B 95 30 FD FF FF 83 E2 01 48 09 D0 F2 48 0F 2A C0\r\n $cde3 = {F2 0F 10 05 15 6F 00 00 F2 0F 59 85 48 FD FF FF F2 0F 11 85 28 FF FF FF 48 8B 85 48\r\n condition:\r\n uint32(0) == 0x464c457f and ( $usage or 3 of ($coms*) or 1 of ($cde*) )\r\n}\r\nrule linux_Monti_ransomware {\r\n meta:\r\n author = \"Marc Salinas @ CheckPoint Research\"\r\n description = \"Detects samples of the Linux ransomware family Monti\"\r\n malware_family = \"Monti\"\r\n date = \"09/08/2023\"\r\n hash1 = \"edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1\"\r\n strings:\r\n $str1 = \"Total encrypted: %s\\n\"\r\n $str2 = \"Encrypting %s\\n\"\r\n $str3 = \"Cannot rename file %s\\n\"\r\n $str4 = \"fork() error.\"\r\n $cde = {55 48 89 E5 48 83 EC 50 48 89 7D B8 48 89 75 B0 48 C7 45 C0 7F 44 4E 00 48 C7 45 C8 8\r\n condition:\r\n uint32(0) == 0x464c457f and ( $cde or all of ($str*))\r\n}\r\nrule linux_IceFire_ransomware {\r\n meta:\r\n author = \"Marc Salinas @ CheckPoint Research\"\r\n description = \"Detects samples of the Linux ransomware family IceFire\"\r\n malware_family = \"IceFire\"\r\n date = \"09/08/2023\"\r\n hash1 = \"e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b\"\r\n strings:\r\n $str1 = \"iFire.pid\"\r\n $str2 = \"-----BEGIN RSA PUBLIC KEY-----\"\r\n $str3 = \"ComSpec=C:\\\\Windows\\\\syste\"\r\n $str4 = \"./boot./dev./etc./lib./proc./srv./sys./usr./var./run\"\r\n $str5 = \"Do not try to recover files yourself\"\r\n condition:\r\n uint32(0) == 0x464c457f and 3 of ($str*)\r\n}\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 21 of 24\n\nrule linux_Royal_ransomware {\r\n meta:\r\n author = \"Marc Salinas @ CheckPoint Research\"\r\n description = \"Detects samples of the Linux ransomware family Royal\"\r\n malware_family = \"Royal\"\r\n date = \"09/08/2023\"\r\n hash1 = \"b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c\"\r\n strings:\r\n $str1 = \"Testing RSA encryption\"\r\n $str2 = \"-vmonly\"\r\n $str3 = \"Most likely what happened was that you decided to save some money\"\r\n $cde1 = {48 8D 85 30 FF FF FF BA 90 00 00 00 BE 00 00 00 00 48 89 C7 ?? ?? ?? ?? ?? 48 8D 85\r\n $cde2 = {48 8B 85 60 FF FF FF 48 89 C2 48 8B 4D D0 8B 45 CC 48 89 CE 89 C7 ?? ?? ?? ?? ?? 83\r\n $cde3 = {48 8D 85 30 FA FF FF 41 B8 00 00 00 00 48 89 C1 BA DD 0D 58 00 BE E0 0D 58 00 BF E0\r\n condition:\r\n uint32(0) == 0x464c457f and ( 2 of ($str*) or 1 of ($cde*))\r\n}\r\nrule linux_BlackCat_ransomware {\r\n meta:\r\n author = \"Marc Salinas @ CheckPoint Research\"\r\n description = \"Detects samples of the Linux ransomware family BlackCat\"\r\n malware_family = \"BlackCat\"\r\n date = \"09/08/2023\"\r\n hash1 = \"e2dcd1eaf59e7e10b9dfeedc6f2b0678efac7907f17ee8b4e8791c39c1fbaa58\"\r\n strings:\r\n $str1 = \"no-vm-kill-names\"\r\n $str2 = \"safeboot-network\"\r\n $str3 = \"NO_VM_KILL_NAMES\"\r\n $str4 = \"Preparing Logger\"\r\n $str5 = \"already borrowed\"\r\n $str6 = \"/cargo/registry/src/github.com\"\r\n condition:\r\n uint32(0) == 0x464c457f and 4 of ($str*)\r\n}\r\nrule linux_HelloKitty_ransomware {\r\n meta:\r\n author = \"Marc Salinas @ CheckPoint Research\"\r\n description = \"Detects samples of the Linux ransomware family HelloKitty\"\r\n malware_family = \"HelloKitty\"\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 22 of 24\n\ndate = \"09/08/2023\"\r\n hash1 = \"754f2022b72da704eb8636610c6d2ffcbdae9e8740555030a07c8c147387a537\"\r\n strings:\r\n $str1 = \"cr:%d f:%s\\n\"\r\n $str2 = \"cr:%d l:%d f:%s\\n\"\r\n $str3 = \"Done:%s file size:%lu crypt size:%lu \\n \"\r\n $str4 = \"All your important documents, photos, databases were stolen\"\r\n $str5 = \".README_TO_RESTORE\"\r\n $str6 = \"libcrypto.so not found \\n try to find manual and make link to libcrypto.so \\n\"\r\n $str7 = \"Usage:%s [-m (10-20-25-33-50) ] Start Path \\n\"\r\n $str8 = \"Error InitAPI !!!\\nExit\\n\"\r\n condition:\r\n uint32(0) == 0x464c457f and 4 of ($str*)\r\n}\r\nrule linux_Lockbit_ransomware {\r\n meta:\r\n author = \"Marc Salinas @ CheckPoint Research\"\r\n description = \"Detects samples of the Linux ransomware family Lockbit\"\r\n malware_family = \"Lockbit\"\r\n date = \"09/08/2023\"\r\n hash1 = \"472836ed669d3927d50055e801048696375b37fce03b2f046e3e1039fb88e048\"\r\n strings:\r\n $cde1 = {31 FF 41 BE 01 00 00 00 ?? ?? ?? ?? ?? 4C 89 E7 48 89 44 24 18 ?? ?? ?? ?? ?? BA F1\r\n $cde2 = {55 BE 60 BA 64 00 53 48 89 FB 48 81 EC 08 04 00 00 48 89 E7 48 89 E5 ?? ?? ?? ?? ??\r\n $cde3 = {48 83 C3 01 ?? ?? ?? ?? ?? 48 29 EB 48 98 31 D2 48 F7 F3 48 8B 5C 24 08 48 8D 04 2A\r\n condition:\r\n uint32(0) == 0x464c457f and 1 of ($cde*)\r\n}\r\nrule linux_GwisinLocker_ransomware {\r\n meta:\r\n author = \"Marc Salinas @ CheckPoint Research\"\r\n description = \"Detects samples of the Linux ransomware family GwisinLocker\"\r\n malware_family = \"GwisinLocker\"\r\n date = \"09/08/2023\"\r\n hash1 = \"7594bf1d87d35b489545e283ef1785bb2e04637cc1ff1aca9b666dde70528e2b\"\r\n strings:\r\n $str1 = \"error: option `--%s` %s\\n\"\r\n $str2 = \"Usage: %s\"\r\n $str3 = \"c.d/%s* stop\"\r\n $str4 = \"show this help message and exit\"\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 23 of 24\n\n$ext = \".mcrgnx\"\r\n $hex = {66 30 66 64 62 33 64 38}\r\n $cde1 = {48 8B 74 24 08 31 FF ?? ?? ?? ?? ?? 48 85 C0 49 89 C7 0F 94 C1 41 83 FD 01 41 89 DD\r\n $cde2 = {41 54 55 53 48 81 EC 30 01 00 00 48 89 E5 48 89 EF ?? ?? ?? ?? ?? 48 8D 7C 24 20 B9\r\n condition:\r\n uint32(0) == 0x464c457f and ( (2 of ($str*) and ($ext or $hex)) or 1 of ($cde*) )\r\n}\r\nrule linux_Cl0p_ransomware {\r\n meta:\r\n author = \"Marc Salinas @ CheckPoint Research\"\r\n description = \"Detects samples of the Linux ransomware family Cl0p\"\r\n malware_family = \"Cl0p\"\r\n date = \"09/08/2023\"\r\n hash1 = \"09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef\"\r\n strings:\r\n $str1 = \"C_I_0P\"\r\n $str3 = \"README_C_I_0P.TXT\"\r\n $str4 = \"OR WRITE TO THE CHAT AT-\u003e\"\r\n $cde1 = {55 89 E5 57 81 EC 24 02 00 00 8D 8D F8 FE FF FF BA A4 83 10 08 B8 FC 00 00 00 89 44\r\n $cde2 = {8D 95 0B FF FF FF B8 75 00 00 00 89 44 24 08 C7 44 24 04 00 00 00 00 89 14 24 ?? ??\r\n condition:\r\n uint32(0) == 0x464c457f and 1 of them\r\n}\r\nSource: https://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nhttps://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/\r\nPage 24 of 24\n\n https://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/       \n$cde2 = {8D 95 0B FF FF FF B8 75 00 00 00 89 44 24 08 C7 44 24 04 00 00 00 00 89 14 24 ?? ?? ?? ?? ?? C7 45\nF4 00 00 00 00}       \ncondition:        \nuint32(0) == 0x464c457f and 1 of them      \n}        \nrule linux_Babuk_ransomware  { meta: author = \"Marc Salinas @ CheckPoint Research\" description = \"Detects\nsamples of the Linux ransomware family Babuk\" malware_family  = \"Babuk\" date = \"09/08/2023\" hash1 =\n\"b711579e33b0df2143c7cb61246233c7f9b4d53db6a048427a58c0295d8daf1c\"      hash1 =  \n\"d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c\"      strings: $str1 = \"Statistic:\" $str2 =\n\"Encrypted files: %d\" $str3 = \"Usage: %s /path/to/be/encrypted\"  $bablock1 = \".x1x2x3\" $bablock2 = \n\"/_r_e_a_d_m_e.txt\" $cylance1 = \".Cylance\" $cylance2 = \"CYLANCE_README.txt\"  $orig1 = \"How To Restore\nYour Files.txt\" $orig2 = \".babyk\" condition: uint32(0) == 0x464c457f and (all of ($str*) or all of ($cylance*) or\nall of ($bablock*) or all of ($orig*)) } rule linux_ESXi_ransomware  { meta: author = \"Marc Salinas @ \nCheckPoint Research\" description = \"Detects samples of the Linux ransomware family ESXi\" malware_family =\n\"ESXi\" date = \"09/08/2023\" hash1 =      \n\"11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66\"      strings: $usage = \"usage: encrypt\n\u003cpublic_key\u003e \u003cfile_to_encrypt\u003e [\u003cenc_step\u003e] [\u003cenc_size\u003e] [\u003cfile_size\u003e]\" $coms1 = \"init_libssl returned %d\\n\"\n$coms2 = \"encrypt_file\" $coms3 = \"encrypt_simple\"  $coms4 = \"lseek [start]\" $cde1 = {48 8B 85 80 FD FF FF 48\n01 85 50 FF FF FF 48 8B 8D 38 FF FF FF C7 85 28 FD FF FF 67 66 66 66 C7 85 2C FD FF FF 66 66 66 66 48\n8B 85 28 FD FF FF 48 F7 E9 48 C1 FA 02 48 89 C8 48 C1 F8 3F 48 89 D3 48 29 C3 48 89 9D 40 FD FF FF 48\n8B 85 40 FD FF FF 48 C1 E0 02 48 03 85 40 FD FF FF 48 01 C0 48 89 CA 48 29 C2 48 89 95 40 FD FF FF 48\n83 BD 40 FD FF FF 00} $cde2 = {48 8B 85 30 FD FF FF 48 D1 E8 48 8B 95 30 FD FF FF 83 E2 01 48 09 D0 F2\n48 0F 2A C0 66 0F 28 C8 F2 0F 58 C8 F2 0F 11 8D 48 FD FF FF} $cde3 = {F2 0F 10 05 15 6F 00 00 F2 0F 59\n85 48 FD FF FF F2 0F 11 85 28 FF FF FF 48 8B 85 48 FF FF FF 48 89 85 50 FD FF FF 48 83 BD 50 FD FF FF\n00} condition: uint32(0) == 0x464c457f and ( $usage or 3 of ($coms*) or 1 of ($cde*) ) } rule \nlinux_Monti_ransomware  { meta: author = \"Marc Salinas @ CheckPoint Research\" description = \"Detects \nsamples of the Linux ransomware family Monti\" malware_family  = \"Monti\" date = \"09/08/2023\" hash1 =\n\"edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1\"     strings: $str1 = \"Total encrypted: \n%s\\n\" $str2 = \"Encrypting %s\\n\" $str3 = \"Cannot rename file %s\\n\" $str4 = \"fork() error.\" $cde = {55 48 89 E5 48\n83 EC 50 48 89 7D B8 48 89 75 B0 48 C7 45 C0 7F 44 4E 00 48 C7 45 C8 81 44 4E 00 48 C7 45 D0 84 44 4E 00\n48 C7 45 D8 87 44 4E 00 48 C7 45 E0 8A 44 4E 00 C6 45 F3 05 C7 45 F4 00 00 00 00 48 8B 45 B8 48 85 C0}\ncondition: uint32(0) == 0x464c457f and ( $cde or all of ($str*)) } rule linux_IceFire_ransomware  { meta: author =\n\"Marc Salinas @ CheckPoint Research\" description = \"Detects samples of the Linux ransomware family IceFire\"\nmalware_family = \"IceFire\" date = \"09/08/2023\" hash1 =    \n\"e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b\"     strings: $str1 = \"iFire.pid\" $str2 = \"--\n---BEGIN RSA PUBLIC KEY-----\" $str3 = \"ComSpec=C:\\\\Windows\\\\syste\"  $str4 =  \n\"./boot./dev./etc./lib./proc./srv./sys./usr./var./run\"   $str5 = \"Do not try to recover files yourself\" condition: uint32(0)\n== 0x464c457f and 3 of ($str*) } rule linux_Royal_ransomware   { meta: author = \"Marc Salinas @ CheckPoint \nResearch\" description = \"Detects samples of the Linux ransomware family Royal\" malware_family = \"Royal\"\ndate = \"09/08/2023\" hash1 = \"b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c\"      \n    Page 18 of 24    \n\n https://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/      \nstrings: $str1 = \"Testing RSA encryption\" $str2 = \"-vmonly\" $str3 = \"Most likely what happened was that you\ndecided to save some money\" $cde1 = {48 8D 85 30 FF FF FF BA 90 00 00 00 BE 00 00 00 00 48 89 C7 ?? ?? ??\n?? ?? 48 8D 85 30 FF FF FF 48 89 C6 BF E8 0D 58 00 ?? ?? ?? ?? ?? 48 8B 85 60 FF FF FF 48 85 C0} $cde2 =\n{48 8B 85 60 FF FF FF 48 89 C2 48 8B 4D D0 8B 45 CC 48 89 CE 89 C7 ?? ?? ?? ?? ?? 83 F0 01 84 C0} $cde3\n= {48 8D 85 30 FA FF FF 41 B8 00 00 00 00 48 89 C1 BA DD 0D 58 00 BE E0 0D 58 00 BF E0 0D 58 00 B8 00\n00 00 00 ?? ?? ?? ?? ?? BF 00 00 00 00 } condition: uint32(0) == 0x464c457f and ( 2 of ($str*) or 1 of ($cde*)) }\nrule linux_BlackCat_ransomware  { meta: author = \"Marc Salinas @ CheckPoint Research\" description = \"Detects\nsamples of the Linux ransomware family BlackCat\" malware_family = \"BlackCat\" date = \"09/08/2023\" hash1 =\n\"e2dcd1eaf59e7e10b9dfeedc6f2b0678efac7907f17ee8b4e8791c39c1fbaa58\"     strings: $str1 = \"no-vm-kill-names\" \n$str2 = \"safeboot-network\"  $str3 = \"NO_VM_KILL_NAMES\"  $str4 = \"Preparing Logger\" $str5 = \"already \nborrowed\" $str6 = \"/cargo/registry/src/github.com\"  condition: uint32(0) == 0x464c457f and 4 of ($str*) } rule\nlinux_HelloKitty_ransomware  { meta: author = \"Marc Salinas @ CheckPoint Research\" description = \"Detects \nsamples of the Linux ransomware family HelloKitty\" malware_family = \"HelloKitty\" date = \"09/08/2023\" hash1\n= \"754f2022b72da704eb8636610c6d2ffcbdae9e8740555030a07c8c147387a537\"     strings: $str1 = \"cr:%d f:%s\\n\"\n$str2 = \"cr:%d l:%d f:%s\\n\" $str3 = \"Done:%s file size:%lu crypt size:%lu \\n \" $str4 = \"All your important \ndocuments, photos, databases were stolen\" $str5 = \".README_TO_RESTORE\"  $str6 = \"libcrypto.so not found\n\\n try to find manual and make link to libcrypto.so \\n\" $str7 = \"Usage:%s [-m (10-20-25-33-50) ] Start Path \\n\"\n$str8 = \"Error InitAPI !!!\\nExit\\n\" condition: uint32(0) == 0x464c457f and 4 of ($str*) } rule \nlinux_Lockbit_ransomware  { meta: author = \"Marc Salinas @ CheckPoint Research\" description = \"Detects \nsamples of the Linux ransomware family Lockbit\" malware_family = \"Lockbit\" date = \"09/08/2023\" hash1 =\n\"472836ed669d3927d50055e801048696375b37fce03b2f046e3e1039fb88e048\"     strings: $cde1 = {31 FF 41 BE 01\n00 00 00 ?? ?? ?? ?? ?? 4C 89 E7 48 89 44 24 18 ?? ?? ?? ?? ?? BA F1 B0 64 00 48 89 C1 BE 14 00 00 00 48 89\nE7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 89 D9 48 89 C2 48 89 E6 BF C0 BB 64 00 31 C0} $cde2 = {55 BE 60 BA 64\n00 53 48 89 FB 48 81 EC 08 04 00 00 48 89 E7 48 89 E5 ?? ?? ?? ?? ?? BE 15 5F 43 00 48 89 E7 ?? ?? ?? ?? ??\nBE 6C BA 64 00 48 89 E7 ?? ?? ?? ?? ?? BE 15 5F 43 00 48 89 E7 ?? ?? ?? ?? ?? BE 74 BA 64 00 48 89 E7 ?? ??\n?? ?? ?? BE 10 5F 43 00 48 89 DF } $cde3 = {48 83 C3 01 ?? ?? ?? ?? ?? 48 29 EB 48 98 31 D2 48 F7 F3 48 8B\n5C 24 08 48 8D 04 2A 48 8B 6C 24 10 48 83 C4 18 C3} condition: uint32(0) == 0x464c457f and 1 of ($cde*) }\nrule linux_GwisinLocker_ransomware  { meta: author = \"Marc Salinas @ CheckPoint Research\" description =\n\"Detects samples of the Linux ransomware family GwisinLocker\" malware_family = \"GwisinLocker\" date =\n\"09/08/2023\" hash1 = \"7594bf1d87d35b489545e283ef1785bb2e04637cc1ff1aca9b666dde70528e2b\"     strings: \n$str1 = \"error: option `--%s` %s\\n\" $str2 = \"Usage: %s\" $str3 = \"c.d/%s* stop\" $str4 = \"show this help message \nand exit\" $ext = \".mcrgnx\" $hex = {66 30 66 64 62 33 64 38} $cde1 = {48 8B 74 24 08 31 FF ?? ?? ?? ?? ?? 48 85\nC0 49 89 C7 0F 94 C1 41 83 FD 01 41 89 DD 0F 94 C0 08 C1} $cde2 = {41 54 55 53 48 81 EC 30 01 00 00 48\n89 E5 48 89 EF ?? ?? ?? ?? ?? 48 8D 7C 24 20 B9 21 00 00 00 48 89 EA 48 8D 35 36 8B 00 00 F3 48 A5 8B 06\nBE 0E 01 00 00 89 07 0F B7 05 2F 8C 00 00 66 89 47 04 48 8D 7C 24 20} condition: uint32(0) == 0x464c457f \nand ( (2 of ($str*) and ($ext or $hex)) or 1 of ($cde*) ) } rule linux_Cl0p_ransomware { meta: author = \"Marc \nSalinas @ CheckPoint Research\" description = \"Detects samples of the Linux ransomware family Cl0p\" \nmalware_family = \"Cl0p\" date = \"09/08/2023\" hash1 =    \n\"09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef\"     strings: $str1 = \"C_I_0P\" $str3 =\n\"README_C_I_0P.TXT\"  $str4 = \"OR WRITE TO THE CHAT AT-\u003e\" $cde1 = {55 89 E5 57 81 EC 24 02 00 00\n8D 8D F8 FE FF FF BA A4 83 10 08 B8 FC 00 00 00 89 44 24 08 89 54 24 04 89 0C 24 ?? ?? ?? ?? ?? 8B 45 08\n89 44 24 08 C7 44 24 04 8C 83 10 08 8D 85 F8 FD FF FF 89 04 24 ?? ?? ?? ?? ?? 8D 85 F8 FE FF FF B9 FF FF\n   Page 19 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2023/the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks/"
	],
	"report_names": [
		"the-platform-matters-a-comparative-study-on-linux-and-windows-ransomware-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775791289,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ce28408ce0f8dc0da9dac14927ffc302ee26cf66.pdf",
		"text": "https://archive.orkl.eu/ce28408ce0f8dc0da9dac14927ffc302ee26cf66.txt",
		"img": "https://archive.orkl.eu/ce28408ce0f8dc0da9dac14927ffc302ee26cf66.jpg"
	}
}