Linkedin X-twitter
    • December 12, 2025

    New Ransomware Family: 01flip

    Primary Region: Asia-Pacific (APAC) Primary Language: Rust Threat Cluster: CL-CRI-1036

    Palo Alto Networks Unit 42 has identified a new, financially motivated ransomware family dubbed 01flip. This ransomware is notable for being written entirely in Rust, a modern programming language that offers memory safety and performance benefits. By leveraging Rust’s cross-compilation features, the operators have deployed functional variants for both Windows and Linux environments.

    The activity is currently tracked under the cluster CL-CRI-1036. While the victim count remains limited, the group has been observed selling stolen data on dark web forums, confirming a double-extortion capability.

    Tactics, Techniques, and Procedures (TTPs)

    1. Initial Access

    The threat actors gain entry by exploiting known vulnerabilities in internet-facing applications.

    • Vulnerability: Specifically observed exploiting CVE-2019-11580, an older remote code execution (RCE) vulnerability in Atlassian Crowd.
    • Strategy: The reliance on older vulnerabilities suggests a targeting of organizations with poor patching cadence or legacy infrastructure.

    2. Post-Exploitation & Lateral Movement

    Once inside, the actors transition from automated exploitation to manual, “hands-on-keyboard” operations.

    • Tooling: They deploy Sliver, an open-source cross-platform adversary emulation framework (written in Go), to maintain access and move laterally across the network.
    • Pivot: A Linux version of Sliver is often used to establish a foothold before spreading to other Windows and Linux assets.

    3. Execution & Defense Evasion

    • Anti-Sandbox: The malware includes a basic check to see if its own filename contains the string “01flip”. If detected (which might happen in a researcher’s sandbox environment), it skips encryption and proceeds to remove artifacts to hide its intent.
    • Process: It enumerates all drives (A: through Z:) on Windows systems to maximize impact.

    4. Encryption Routine

    • Algorithms: The ransomware encrypts files using AES-128-CBC. The symmetric session key is then encrypted using an embedded RSA-2048 public key.
    • File Renaming: Encrypted files are renamed using a specific format: <ORIGINAL_FILENAME>.<UNIQUE_ID>.<0 or 1>.01flip
    • Exclusions: The malware contains a hardcoded list of file extensions to skip, ensuring the operating system remains stable enough for the victim to pay the ransom.

    Indicators of Compromise (IOCs)

    File Artifacts

    • Ransom Note: RECOVERY-YOUR-FILE.TXT (Dropped in all writable directories).
    • File Extension: .01flip
    • Email Contact: 01Flip@proton[.]me

    Malware Hashes (SHA-256)

    • Windows Variant: 6aad1c36ab9c7c44350ebe3a17178b4fd93c2aa296e2af212ab28d711c0889a3
    • Linux Variant: e5834b7bdd70ec904470d541713e38fe933e96a4e49f80dbfb25148d9674f957

    Network & Infrastructure

    • Associated Tool: Presence of Sliver C2 implants on Linux or Windows servers.
    • Exploitation Traffic: Inbound attempts targeting Atlassian Crowd (CVE-2019-11580).
    Previous Post
    Next Post
      Recent Posts

      Shenouda.nl is the personal website of Joe Shenouda, a seasoned cybersecurity expert and CISO, dedicated to providing strategic insights into the global cyber threat landscape through threat intelligence analysis. The site features blog posts on current cyber incidents, such as data breaches, hacktivist activities, and geopolitical cyber conflicts, often mapping threats to frameworks like MITRE ATT&CK and offering defense recommendations. It serves as a resource for professionals in the field, combining Joe’s extensive experience in cyber defense with timely analyses of emerging threats.

      Follow us
      Linkedin X-twitter
      Categories
      Our Partners

      Copyright © 2025 Joe Shenouda | Threat Intelligence |

      Linkedin X-twitter