New Rust-Based 01flip Ransomware Targets Critical Infrastructure in Asia-Pacific
Researchers from Palo Alto Networks’ Unit 42 have uncovered 01flip, a sophisticated Rust-based ransomware strain actively targeting Windows and Linux systems in coordinated attacks on critical infrastructure across the Asia-Pacific region, particularly in Southeast Asia. The campaign, first detected in April 2025, marks a shift toward cross-platform ransomware designed to evade detection while maximizing impact.
Attack Anatomy: From Exploitation to Encryption
Threat actors gained initial access by exploiting vulnerabilities in outdated, internet-facing applications, including Zimbra Server. Once inside, they deployed the Linux variant of the Sliver post-exploitation framework to conduct reconnaissance, harvest credentials, and map the network indicating hands-on-keyboard operations rather than automated attacks.
By late May 2025, the attackers escalated the campaign, manually distributing 01flip ransomware binaries across both Windows and Linux systems, transitioning from infiltration to large-scale encryption and extortion.
Encryption & Evasion Tactics
01flip employs a methodical encryption process to disrupt operations while complicating recovery:
- Systematic drive enumeration (A-Z) and ransom note deployment (RECOVER-YOUR-FILE.TXT) in every writable directory.
- AES-128-CBC encryption with RSA-2048-protected session keys, rendering files inaccessible without the attackers’ private key.
- File renaming to ORIGINAL_FILENAME.UNIQUE_ID.(0 or 1).01flip, allowing operators to track infections.
To evade detection, 01flip leverages Rust’s low-level API calls, runtime string decoding, and anti-sandbox checks, making it difficult for security tools to identify. The Linux variant remained undetected on VirusTotal for nearly three months, demonstrating its stealth capabilities.
Broader Implications for Ransomware Evolution
The 01flip campaign highlights a growing trend: ransomware written in modern languages like Rust for cross-platform flexibility and reduced detection rates. As attackers adopt these techniques, platform-specific defenses alone are insufficient, requiring organizations to strengthen visibility, patching, and detection across all environments.
The attack underscores the need for zero-trust principles, as threat actors increasingly move freely between systems, exploiting gaps in identity controls, lateral movement, and recovery preparedness.
Source: https://www.esecurityplanet.com/threats/rust-based-01flip-ransomware-hits-windows-and-linux/
Synacor cybersecurity rating report: https://www.rankiteo.com/company/synacor
"id": "SYN1778473638",
"linkid": "synacor",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'Asia-Pacific, Southeast Asia',
'type': 'Critical Infrastructure'}],
'attack_vector': 'Exploitation of vulnerabilities in outdated, '
'internet-facing applications (e.g., Zimbra Server)',
'data_breach': {'data_encryption': 'AES-128-CBC with RSA-2048-protected '
'session keys'},
'date_detected': '2025-04',
'date_publicly_disclosed': '2025-05',
'description': 'Researchers from Palo Alto Networks’ Unit 42 uncovered '
'01flip, a sophisticated Rust-based ransomware strain actively '
'targeting Windows and Linux systems in coordinated attacks on '
'critical infrastructure across the Asia-Pacific region, '
'particularly in Southeast Asia. The campaign marks a shift '
'toward cross-platform ransomware designed to evade detection '
'while maximizing impact.',
'impact': {'operational_impact': 'Disruption of critical infrastructure '
'operations',
'systems_affected': 'Windows and Linux systems'},
'initial_access_broker': {'entry_point': 'Exploitation of Zimbra Server '
'vulnerabilities'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The 01flip campaign highlights the need for zero-trust '
'principles, cross-platform defenses, and strengthened '
'visibility, patching, and detection across all '
'environments.',
'motivation': 'Financial gain (extortion)',
'post_incident_analysis': {'corrective_actions': ['Patch management for '
'critical vulnerabilities',
'Enhanced monitoring for '
'post-exploitation '
'frameworks',
'Cross-platform ransomware '
'detection and response'],
'root_causes': ['Exploitation of unpatched '
'vulnerabilities in '
'internet-facing applications',
'Use of Sliver post-exploitation '
'framework for lateral movement']},
'ransomware': {'data_encryption': 'AES-128-CBC with RSA-2048-protected '
'session keys',
'ransomware_strain': '01flip'},
'recommendations': ['Strengthen visibility and detection across Windows and '
'Linux systems',
'Implement zero-trust principles to limit lateral '
'movement',
'Patch vulnerabilities in internet-facing applications '
'promptly',
'Enhance recovery preparedness for cross-platform '
'ransomware attacks'],
'references': [{'source': 'Palo Alto Networks’ Unit 42'}],
'response': {'third_party_assistance': 'Palo Alto Networks’ Unit 42'},
'title': 'New Rust-Based 01flip Ransomware Targets Critical Infrastructure in '
'Asia-Pacific',
'type': 'Ransomware',
'vulnerability_exploited': ['Zimbra Server vulnerabilities']}