Multi-Platform Ransomware Written in Rust

Dec. 21, 2025, 6:56 p.m.

Description

A new ransomware family named 01flip, written in Rust, has been observed targeting victims in the Asia-Pacific region. The malware supports multi-platform architectures and has been used in attacks on critical infrastructure. Initial access was gained through exploitation of vulnerabilities in internet-facing applications. The ransomware encrypts files using AES-128-CBC and RSA-2048, appending the .01flip extension. It employs evasion techniques like using low-level APIs and encoding strings. A possible connection to the LockBit group was noted. The campaign appears to be in early stages, with limited victims so far. Data stolen in the attacks has been offered for sale on dark web forums.

External References

https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/
https://unit42.paloaltonetworks.com/wp-content/uploads/2025/12/05_Ransomware_Category_1920x900.jpg
https://otx.alienvault.com/pulse/693970602971d7b0012cf536
Tags
ransomware
rust
sliver
aes encryption
data leak
critical infrastructure
multi-platform
asia-pacific
2025-12-10
01flip
CVE-2019-11580

Date

  • Created: Dec. 10, 2025, 1:06 p.m.
  • Published: Dec. 10, 2025, 1:06 p.m.
  • Modified: Dec. 21, 2025, 6:56 p.m.

Indicators

  • 6aad1c36ab9c7c44350ebe3a17178b4fd93c2aa296e2af212ab28d711c0889a3
  • e5834b7bdd70ec904470d541713e38fe933e96a4e49f80dbfb25148d9674f957
  • ba41f0c7ea36cefe7bc9827b3cf27308362a4d07a8c97109704df5d209bce191
Download all indicators here!

Attack Patterns

  • Sliver
  • 01flip
  • CL-CRI-1036

Additional Informations

  • Heavy industries
  • Taiwan
  • Philippines

Linked vulnerabilities

CVE-2019-11580

None
Published: