November 30, 2023

SFile ransomware (aka Escal),  was observed  earlier targeting only Windows systems. Some variants of the ransomware append the English name of the target company to the filenames of the encrypted files.Recently, it’s been detected that a Linux variant of the SFile ransomware that uses the RSA+AES algorithm mode.

Researchers discovered an SFile ransomware variant supporting the FreeBSD platform that was used in attacks against a partially state-owned company in China.

The SFile ransomware uses the Mbed TLS library, RSA-2048 and AES-256 algorithms for file encryption. The ransomware does not have its own portal; the attackers communicate with victims via email


The ransomware was involved in targeted attacks against corporate and government networks. This  Linux version of the SFile ransomware implements a few improvements, the most interesting one is the ability to encrypt files based on their creation/access date. The principle is simple, according to the authors of the malware, recent files may be more important for some victims and typically they are not included in recent backups.

The most interesting of these was the ability to encrypt files based on a time range to encrypt recent files, which may be of more importance for some victims, and typically not included in recent backups. The number of SFile ransomware infections is still very small, suggesting work is still in progress

Leave a Reply

%d bloggers like this: