editorially independent. We may make money when you click on links
to our partners.
Learn More
Researchers identified new ransomware — called 01flip — that is a fully Rust-written, cross-platform threat deployed in targeted attacks against critical infrastructure in the Asia-Pacific region.
The victims of the ransomware included “… organizations responsible for critical infrastructure in Southeast Asia,” said Palo Alto Networks Unit 42 researchers.
Anatomy of the 01flip Ransomware Attack
Beginning in April 2025, threat actors exploited vulnerabilities in outdated, internet-facing applications to gain their initial foothold, with Zimbra Server among the observed entry points.
Once access was established, the attackers deployed a Linux variant of the Sliver post-exploitation framework, which they used to conduct internal reconnaissance, harvest credentials, and map the environment for follow-on activity.
This phase showed clear signs of deliberate, hands-on-keyboard operations rather than automated scanning or opportunistic exploitation, as attackers carefully staged tools and expanded access over time.
By late May, the campaign escalated when multiple 01flip ransomware binaries were manually distributed across both Windows and Linux systems, signaling a coordinated transition from access and preparation to widespread encryption and monetization.
How 01flip Encrypts and Evades
Once executed, 01flip initiates a structured and methodical encryption process designed to maximize impact while complicating recovery efforts.
The ransomware systematically enumerates all available drives from A through Z and drops ransom notes titled RECOVER-YOUR-FILE.TXT into every directory it can write to, ensuring victims encounter the extortion message regardless of where they browse.
Targeted files are encrypted using AES-128 in CBC mode, with each encryption session protected by a unique key that is itself encrypted using RSA-2048, effectively preventing decryption without access to the attackers’ private key.
Encrypted files are renamed using a consistent pattern — ORIGINAL_FILENAME.UNIQUE_ID.(0 or 1).01flip — which helps the operators track infections while signaling successful compromise to the victim.
To remain stealthy and delay detection, 01flip incorporates several evasion techniques uncommon in commodity ransomware.
The malware is written in Rust and relies on low-level API calls that blend into normal operating system behavior, making it harder for security tools to distinguish malicious activity.
Sensitive strings, including ransom messages, file extensions, and embedded cryptographic material, are decoded only at runtime, limiting the effectiveness of static analysis.
The malware includes an anti-analysis check that looks for sandboxed environments and aborts encryption if it detects it is being analyzed.
These techniques proved effective in practice, as the Linux variant avoided detection on VirusTotal for nearly three months, highlighting both its novelty and its ability to operate undetected in real-world environments.
Mitigating Cross-Platform Ransomware Risk
Targeted ransomware campaigns like 01flip rely on deliberate intrusion paths, hands-on-keyboard activity, and cross-platform tooling to maximize impact.
Security teams should focus on reducing initial access opportunities, detecting attacker activity early, and limiting the ability to move laterally or deploy encryption at scale.
- Patch and harden internet-facing systems, prioritizing known exploited vulnerabilities and reducing exposed attack surfaces.
- Monitor for and remediate Sliver-related activity, including anomalous C2 traffic, suspicious beaconing, and post-exploitation tooling.
- Expand and standardize EDR coverage across Windows and Linux environments to detect ransomware, credential abuse, and lateral movement.
- Enforce strong identity controls by requiring MFA, limiting administrative privileges, and monitoring for credential dumping and privilege escalation.
- Restrict lateral movement through network segmentation, controlled use of remote administration tools, and east-west traffic monitoring.
- Detect pre-encryption and ransomware behaviors such as mass file enumeration, unusual Rust binaries, and large-scale file renaming with .01flip.
- Strengthen recovery readiness with immutable backups, tested restoration procedures, and a practiced cross-platform ransomware response plan.
Combined, these measures improve ransomware resilience across Windows and Linux environments.
How Attackers Are Modernizing Ransomware
The 01flip campaign underscores a broader shift in ransomware development, where attackers are adopting modern programming languages and building malware that operates reliably across multiple operating systems.
Rust’s performance, memory safety, and portability make it particularly appealing to threat actors looking to expand reach while reducing detection opportunities.
As cross-platform tooling and evasion techniques continue to mature, security teams can no longer rely on platform-specific defenses or legacy controls alone.
Building consistent visibility, timely patching, and effective detection across all environments is increasingly essential, as campaigns like 01flip show that attackers are already operating with that level of flexibility.
When attackers can move freely between systems, zero-trust helps reestablish control by enforcing continuous verification.
