The SFile ransomware, also known as Escal, has been ported to work and encrypt data on Linux-based operating systems by its developers.
Attacks with this new Linux edition were discovered late last year, according to a report published last week by Chinese security firm Rising, which was substantiated by The Record with MalwareHunterTeam, one of the developers of the ID-Ransomware project.
In February 2020, the SFile (Escal) ransomware was first observed in assaults. The first versions were exclusively designed to encrypt Windows systems.
The ransomware has been deployed in targeted assaults against corporate and government networks for the previous two years.
SFile is typically used in these attacks to encrypt data and leave a ransom note instructing victims to contact the attackers via one of three emails and negotiate a ransom for the decryption key.
A SFile Linux variation was discovered late last year, following a typical trend in the ransomware ecosystem where groups have developed Linux versions of their payloads, with an encryption strategy identical to its original Windows variant but with a few modifications.
The option to encrypt data depending on a time range, according to MalwareHunterTeam, was the most intriguing of these—as a way to encrypt current files, which may be more important for some victims and are often not included in recent backups. However, the SFile ransomware is one of the few instances where the victim's name appears in the extension appended to each encrypted file.
Several Chinese firms were among the most recent victims of SFile assaults. According to the Rising report, one of these victims was Chinese IT business Nuctech, which was sanctioned by the US in late 2020 for giving air travel passenger information to the Chinese government—the company's name was identified in encrypted files in a sample discovered by Rising researchers.
Despite the presence of a Linux variant, the number of SFile attacks is still limited in comparison to the operation of more well-known ransomware families like Conti, LockBit, Grief, and STOP.