Analysis of Secp0 Ransomware

July 16, 2025, 8:19 a.m.

Description

Secp0 is a ransomware that emerged in early 2025, initially mischaracterized as a vulnerability disclosure extortion group. It operates as a conventional double-extortion ransomware, encrypting data while threatening public disclosure. The malware is an ELF binary targeting Linux systems, using ChaCha20 encryption with ECDH key exchange. It features configurable command-line options and embedded encrypted data. The encryption process involves generating session and file key pairs, calculating shared keys, and appending necessary decryption information to files. The ransomware's structure prevents decryption without the attacker's cooperation, making recovery challenging.

External References

https://blog.lexfo.fr/analysis-of-secp0-ransomware.html
https://otx.alienvault.com/pulse/68775e055ee6254a73b4fbc5
Tags
ransomware
encryption
double-extortion
2025-07-16
secp0

Date

  • Created: July 16, 2025, 8:08 a.m.
  • Published: July 16, 2025, 8:08 a.m.
  • Modified: July 16, 2025, 8:19 a.m.

Indicators

  • bbcf4469a0a849ec3c65bbf2ad188896f8d222b7f4e6e5b1c85747ae3ad95818
  • secponewsxgrlnirowclps2kllzaotaf5w2bsvktdnz4qhjr2jnwvvyd.onion
  • secp0-support.net
  • secp0-support.cfd
  • bhn2xz5jer2xeibxjzhgfp7qclttnbvkkvd4hvlmjbnz66jxq7yzn6ad.onion
  • 2a6w667vebiebciji7vm3vj43svegvozoqypttdgojzgdcbnfsu5wiid.onion
Download all indicators here!

Attack Patterns

  • Secp0
  • Secp0

Additional Informations

  • Information Technology
  • United States of America