Analysis of Secp0 Ransomware
Secp0是一种新兴的双重勒索软件,于2025年初出现。它通过加密数据并威胁公开披露来实施勒索。该恶意软件采用ELF格式,针对Linux系统,使用ChaCha20加密和ECDH密钥交换技术,并提供YARA规则用于检测。 2025-7-15 10:0:0 Author: blog.lexfo.fr(查看原文) 阅读量:24 收藏

  • Secp0 emerged in early 2025. Initially misunderstood as a group that withholds software vulnerabilities for ransom, it actually operates like a traditional ransomware.
  • First, it appeared in February 2025, tracked by researchers like PRODAFT. In March 2025, they claimed their first victim, a U.S. IT company, compromising data and encrypting servers.
  • In May 2025, Secp0 delayed publications, citing a queue of companies and testing a software solution, believed to be the extortion platform World Leaks.
  • Secp0 is an ELF binary for 64-bit architecture, developed in C/C++, using ChaCha20 encryption and ECDH key exchange.
  • This report provides a YARA rule for detecting Secp0 based on its embedded encryption key.

This article analyzes Secp0 ransomware, which emerged in early 2025 and was initially mischaracterized as a vulnerability disclosure extortion group. Our investigation confirms that Secp0 operates as conventional double-extortion ransomware, encrypting data while threatening public disclosure.

A technical analysis reveals an ELF binary targeting Linux systems, implementing ChaCha20 encryption with ECDH key exchange. The malware features configurable command-line options, embedded encrypted data, and an irrecoverable key structure preventing decryption without the attacker's cooperation.

This article provides actionable defenses including YARA detection rules based on hardcoded keys and detailed technical breakdowns.

In early 2025, a new ransomware group called Secp0 emerged, initially distinguishing itself with a novel extortion model that threatened to undermine conventional vulnerability disclosure practices. PRODAFT mentioned it in a tweet in March. Unlike traditional ransomware actors who encrypt files or leak stolen data, Secp0 allegedly identifies critical software vulnerabilities and demands payment to withhold their public disclosure. However, this understanding of Secp0 turned out to be false. Secp0 operates like many other ransomware groups, employing a double-extortion model where they encrypt victims' data and then threaten to expose it publicly.

Secp0 first appeared on the threat landscape in February 2025. By early March, cybersecurity researchers had begun publicly tracking and documenting the group's activities, with PRODAFT being among the first to alert the security community about Secp0's emergence. At this time, Secp0 had released a blog post about a flaw in Passwordstate, a software for password storage, where they explained it in detail and provided the files of the decompiled software. At that time, their strategy was misunderstood by analysts who thought they had a new extortion model that targeted solutions and then threatened to publicly disclose the vulnerabilities unless a ransom was paid. They made a blog post responding angrily to PRODAFT's tweet.

Also in March 2025, they claimed their first victim publicly, an IT service management company based in the United States. They claimed to have compromised over 900 accounts from the victim's network and encrypted Nutanix servers, Hyper-V servers, and NAS devices with backups. They threatened to publish all data, but until now, only a proof of compromise has been published.

In early May 2025, Secp0 claimed that their publications were on hold because they allegedly had a substantial queue of companies waiting for their data to be published and that their team was actively testing a software solution designed to streamline the publication of large datasets.

We believe that this software solution turned out to be the extortion platform World Leaks (which we discussed in a previous report). We assert with high confidence that the Secp0 ransomware was used on one of the victims claimed by World Leaks.

The Secp0 ransomware is identified as an ELF (Executable and Linkable Format) binary, specifically compiled for 64-bit architecture. It is developed using the C/C++ programming languages. Heuristic analysis indicates that the ransomware was compiled using GCC (GNU Compiler Collection) version 12.3.0 or Ubuntu clang version 14.0, on a system running Ubuntu Linux 22.04.

When executing, Secp0 ransomware can take ten arguments in its command line:

  • --psw [text]
  • --sleep
  • --daemon
  • --nomotd
  • --path [text]
  • --novmfs, --nohome, --nostop, --fast and --full: These options were present in the argument parser, but the related codes have not been found.

The ransomware was used like this by the threat actors:

./ran_64.elf --psw secp0 --fast --daemon --path [path]

As is typical with many programs, the execution of the ransomware begins with the main function. This function serves as the primary entry point and orchestrates the subsequent operations by invoking two critical functions: "prepare_encryption" and "recursive_opendir_n_encryption".

Main Function

The "prepare_encryption" function makes sure that all the encryption requirements are satisfied:

  • Decrypting the Embedded Ransom Note: This function decrypts the ransom note embedded within the binary, ensuring that it is ready for deployment.
  • Reading and Verifying Execution Options: It reads and verifies the execution options provided by the user, potentially activating specific functionalities based on these inputs.
  • Generating Encryption Keys: This function generates the necessary encryption keys and other essential data required for the encryption process.

The "recursive_opendir_n_encryption" function is designed to handle the core encryption operations and has the following primary responsibilities:

  • Recursive Directory Traversal: It traverses each file and directory recursively, ensuring comprehensive coverage of the target system's file structure.
  • Writing the Ransom Note: In the case of directories, this function writes the ransom note, making it visible to the user.
  • File Encryption: It performs the encryption of files, rendering them inaccessible without the appropriate decryption key.

The ransomware binary contains embedded data essential for its operation. These data elements are encrypted to reduce the risk of detection by antivirus software.

The ransomware embeds several critical pieces of information necessary for its execution and functionality:

  • Ransom Note Template: Template for the ransom note that is displayed to the victim.
  • File Extension: New file extension (.secp0) assigned to each encrypted file.
  • Ransom Note Filename: Name of the ransom note file (RESTORE-SERVER.txt).
  • MOTD File Location: Location of the "message of the day" file (/etc/motd), which displays a message when a user logs in via the command line.
  • Accepted Arguments: --path, --novmfs, --nohome, --nomotd, --nostop, --psw, --fast, --full, --daemon, --sleep

To decrypt these embedded data, the ransomware employs the ChaCha20 symmetric encryption algorithm. The encryption and decryption keys are hard-coded. The key and initialization vector (IV) used are as follows:

Key : 6162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80
Iv : 0001020304050607
Decrypt hardcoded data

The embedded key can be used to create detection rules for identifying the presence of the ransomware. A YARA rule based on this key is provided at the end of this report, which can be used by security teams to detect and mitigate the threat posed by this ransomware.

Command Line Options Analysis

--psw Option

  • Description: The --psw option is the first parameter checked by the ransomware.
  • Functionality: Expects a string that is compared with the first string in the decrypted embedded data within the ransomware.
  • Purpose:
    • Verification of Embedded Data Decryption: Ensures that the decryption process of the embedded data has been successfully completed.
    • Safety Mechanism: Acts as a safeguard to prevent the inadvertent execution of the ransomware, ensuring it is only executed intentionally.
Option --psw

--sleep Option

  • Description: The --sleep option pauses the program execution.
  • Functionality: Introduces a delay of 60 seconds (0x3C in hexadecimal).
  • Purpose:
    • Delay Execution: Helps in evading detection by delaying the onset of noticeable system changes, potentially allowing the ransomware to run further before being detected.
Call to function "to_clock_nanosleep_0" with argument 0x3C
Call to function "to_clock_nanosleep"
Call to function "libc clock_nanosleep"

--daemon Option

  • Description: The --daemon option restarts the program as a background process.
  • Functionality: Redirects the output to a log file named log.secp0.
  • Purpose:
    • Stealth Operation: Increases the ransomware stealth by running it in the background, making it harder to detect and terminate as it does not require an active user session.
Call to function "daemon_mode_fork"
Fork of the process and redirection of stdout and stderr in a file

--nomotd Option

  • Description: The --nomotd option prevents the automatic modification of the system welcome message.
  • Functionality: Ensures that the Message of the Day (MOTD) file is not altered when a user logs in via the command line.
  • Purpose:
    • Avoid Detection: Prevents immediate notification to users about the ransomware infection through the MOTD, which could otherwise serve as an early warning mechanism.

--path Option

  • Description: The --path option is a mandatory parameter.
  • Functionality: Specifies the directory to be encrypted.
  • Purpose:
    • Target Specification: Allows the attacker to target specific directories, making the ransomware more flexible and targeted in its operations.
Option --path

Other Options

  • Description: Additional options include --novmfs, --nohome, --nostop, --fast, and --full.
  • Usage: No evidence of usage for these options was found during the analysis.
  • Purpose:
    • Flexibility and Control: While these options are present in the argument parser, their specific functionalities and impacts remain undetermined because the related code is missing.

Encryption Process Explanation

The encryption process of the ransomware is initiated when the user specifies a directory using the --path option. The contents of this directory are listed, and each file, except for the ransom note "RESTORE-SERVER.txt", is sent as an argument to the encryption function. If a directory is encountered, the function recursively lists and encrypts its contents.

Call of the encryption function to encrypt the files present in the directory

At the beginning of this process, the ransom note "RESTORE-SERVER.txt" is created in each directory.

Creation of the ransom note RESTORE-SERVER.txt

The ransomware employs the ChaCha20 symmetric encryption algorithm for encrypting files. This means the same key is used for both encryption and decryption. The key is generated using the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol, specifically utilizing the secp256k1 elliptic curve. This protocol securely exchanges a shared key using a public-private key system.

1 - Session Key Pair Generation:

  • When the ransomware is executed, a pair of public and private keys, known as session keys is generated.

2 - File Key Pair Generation:

  • For each file to be encrypted, another pair of public and private keys, known as file keys, is generated.

3 - Shared Key Calculation:

  • The encryption key is derived as a shared key calculated from the session public key and the file private key. This shared key can also be calculated by combining the session private key and the file public key.
Process of encrypting a file

Before encrypting a file, the ransomware appends necessary information for decryption at the end of the file.

Adding to the end of the file to be encrypted the information necessary for decryption

The appended data (177 bytes) includes:

  • File Public Key: The public key specific to the file.
  • Attacker Public Key: The attacker's public key, embedded within the ransomware.
  • Encrypted Session Private Key: The session private key, which is encrypted.
  • Session Public Key: The public key of the session.
  • Temporary Public Key: A temporary public key.
  • Random Value: A random value that appears to be unused.
Structure of added data

The session private key, crucial for decryption when combined with the file public key, is encrypted. However, the file "private key" is missing, which means the file cannot be decrypted using only the appended information. The session private key is encrypted using the ChaCha20 algorithm, with the encryption key derived from a combination of the attacker's public key and a temporary private key generated by the ransomware. Since both the temporary private key and the attacker's private key are unknown, it is impossible to recreate the encryption key.

Here is an explanation of the encryption process of Secp0 ransomware:

IndicatorsIndicator typeDescription
bbcf4469a0a849ec3c65bbf2ad188896f8d222b7f4e6e5b1c85747ae3ad95818sha256Secp0 ransomware binary
secp0-support[.]netdomain nameSecp0 Negociation Pannel
secp0-support[.]cfddomain nameSecp0 Negociation Pannel
bhn2xz5jer2xeibxjzhgfp7qclttnbvkkvd4hvlmjbnz66jxq7yzn6ad[.]oniononion addressSecp0 Negociation Pannel
2a6w667vebiebciji7vm3vj43svegvozoqypttdgojzgdcbnfsu5wiid[.]oniononion addressSecp0 Negociation Pannel
secponewsxgrlnirowclps2kllzaotaf5w2bsvktdnz4qhjr2jnwvvyd[.]oniononion addressSecp0 Blog
rule secp0 {
    meta:
        title = "SECP0 ransomware detection"
        description = "match embedded ransomware note decryption key"
        date = "2025-06-30"
        author = "Lexfo"
        os = "Linux, maybe Windows"
        score = 90
    strings:
        $key = { 6162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80 }
        $iv = { 0001020304050607 }
        $chacha1 = "expand 16-byte k"
        $chacha2 = "expand 32-byte k"
    condition:
        all of them
}
======================================
What happened?
======================================

Greetings, [Victim].
Your network has been fully compromised, investigated, and over [Size] of data including the contents of your file servers and database dumps has been extracted. [Explanations]

If you fail to contact us, we will begin publishing this data on our blog and alerting relevant government authorities. A breach of this scale could result in lawsuits, substantial fines, and irreparable reputational damage. Consider how investors and stakeholders will react if this incident goes public.

Additionally, the data stores of your hosts have been encrypted using modern cryptographic algorithms. However, we are prepared to provide you with a decryption tool.

======================================
How to obtain the decryption tool?
======================================

To obtain the decryption tool and ensure the deletion of your data from our servers, you must make a payment. If you fail to contact us within three days or refuse to pay, we will have no choice but to begin publishing your data on our blog and notify all relevant parties, including your investors.

======================================
What should you do next?
======================================

Next, you need to contact us by following the links in the next section and discuss with us the terms for deleting data on our side and obtaining a decryption key for your servers that will satisfy both us and you.

Additionally, to confirm our words, we are ready to:

- provide you with a partial listing of the files that were uploaded (partial means no more 
than 33% of the entire tree)

- provide you with several ANY files (up to 10MB each) from the provided file listing

======================================
How to contact us?
======================================

To get in touch with us, you can use the links below.

- https://secp0-support.net/xxxxxx

- https://secp0-support.cfd/xxxxxx

- http://bhn2xz5jer2xeibxjzhgfp7qclttnbvkkvd4hvlmjbnz66jxq7yzn6ad.onion/xxxxx

- http://2a6w667vebiebciji7vm3vj43svegvozoqypttdgojzgdcbnfsu5wiid.onion/xxxxx

To access the onion link, you'll need to download and install the Tor Browser 
(https://www.torproject.org/download).

======================================
What guarantees are there?
======================================

As a guarantee, we can offer you our professionalism. We have breached your network, extracted data from it, and remained within it for months. Our business is built on keeping our promises. Otherwise, no one would work with us or pay us. Reputation drives payments.

To confirm that we were in your filestorages, servers, and your endpoints, you can view the listing and request any file from it as proof. Additionally, as a bonus, after payment, you will receive a detailed report on your network's security: how to improve it, how to prevent future breaches, what mistakes were made, and how to avoid such situations in the future. Similar reports cost hundreds of thousands when done by professional Red Teams. We are better than a Red Team — we are the ones security companies promise to protect you from. Our reports are even more valuable. And they come as a bonus with your payment, free of charge.

[Explanation]

---BELOW IS TECHNICAL INFORMATION REQUIRED FOR US TO PROVIDE YOU WITH DECRYPTION TOOL, DO NOT REDACT---
ID=[ID]
---FINISH---

文章来源: https://blog.lexfo.fr/analysis-of-secp0-ransomware.html
如有侵权请联系:admin#unsafe.sh