DarkRadiation is a ransomware threat deployed by cybercriminals in a series of attacks against Linux systems. More specifically, the threat actors aimed to infect Red Hat, CentOS, and Debian-based Linux distributions. After gaining access, the hackers used an SSH worm to move laterally through the victim's network and deploy a ransomware threat named DarkRadiation. Infosec researchers believe that the threat is under active development, as they have found multiple different versions. All display minor differences in behavior with some also carrying dead code (functions that are not executed by the threat) or comments by the threat's creators.
The DarkRadiation Ransomware is written in a bash script and then obfuscated via a 'node-bash-obsfucated' open-source tool that is a Node.js CLI utility and library. It is designed to scramble bash scripts by splitting them into smaller chunks that are then assigned variable names. In turn, the original script is replaced with variable references. Once delivered to the targeted system, DarkRadiation's first task is to check for root privileges. Without them, the ransomware displays a message stating 'Please run as root,' and removes itself.
If it has the required privileges, the DarkRadiation Ransomware will proceed to create a snapshot of the users currently logged on Unix computers via the bot_who function and the 'who' command. The result is saved to a hidden file in /tmp/.ccw. The procedure will then be repeated every five seconds with the threat comparing the new snapshot with the state saved in the file. Any discrepancies such as new users being logged in will be reported to the threat actor via a Telegrams API.
The Encryption Process
The DarkRadiation Ransomware employs OpenSSL's AES algorithm with CBC mode to encrypt the files stored in several directories on the compromised systems. However, before the encryption process is initiated, the threat performs another task - it retrieves a list of all users on the breached machine by making a query to the '/etc/shadow/ file. It will then overwrite the passwords of the existing users with 'megapassword.' DarkRadiation proceeds to delete all users with the exception of 'Ferrum,' a user profile that is created by the threat itself. By executing the 'usermod --shell /bin/nologin' command, the ransomware disables all existing shell users. The threat will contact its Command-and-Control (C&C) server and look for the presence of a file named '0.txt.' If it is not there, DarkRadiation will not engage its encryption process and instead will enter a 60-second sleep before trying again.
The researchers noticed slight differences in the encryption path used by the detected samples of DarkRadiation. Some performed the encryption by themselves, while others employed a separate script called 'crypt_file.sh.' However, they all, marked the encrypted files by appending a radioactive symbol to the original filenames as a new extension. The malware will stop or disable all currently active Docker containers before generating its ransom note.