DarkRadiation Ransomware Targets Linux Distributions

Keep up to date with latest blog posts

Although most of the malware is developed for Windows environments, the number of malware developed for Linux-like operating systems such as macOS and Linux distributions is also high. One of these malware families, DarkRadiation, is a bash ransomware targeting Red Hat and Debian-based Linux distributions [1], and docker cloud containers [2].

The malware communicates with Telegram bots via hardcoded API keys using a sophisticated collection of Bash scripts and at least a half-dozen C2s. Wget, curl, sshpass, pssh, and openssl are among the DarkRadiation scripts' dependencies. If any of these are missing from the infected device, the ransomware uses YUM python-based package manager to obtain these essential tools. 

The ransomware has the ability to erase all users on an infected system and create a separate account for the attacker. When it comes to file encryption, the ransomware uses OpenSSL's AES technique to encrypt either specific files or all files in a defined directory.

Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used by the DarkRadiation ransomware. 

Picus ID

Threat Name


DarkRadiation Ransomware .SH File Download Variant-1


DarkRadiation Ransomware .SH File Download Variant-2





MITRE ATT&CK Techniques used by DarkRadiation


  • T1059.004 Command and Scripting Interpreter: Unix Shell

Privilege Escalation

  • T1548 Abuse Elevation Control Mechanism
  • T1543.002 Create or Modify System Process: Systemd Service

Defense Evasion

  • T1027 Obfuscated Files or Information
  • T1202 Indirect Command Execution
  • T1014 Rootkit
  • T1548 Abuse Elevation Control Mechanism


  • T1082 System Information Discovery
  • T1083 File and Directory Discovery (System Object Enumeration)


  • T1543.002 Create or Modify System Process: Systemd Service


  • T1486 Data Encrypted for Impact

Other Linux Malware in Picus Threat Library

Picus Threat Library consists of 364 threats for Linux distributions, including Skidmap, TeamTNT, Rocke, Blackrota, Xanthe, Lucifer, FritzFrog, Kinsing, Bigviktor, Tor2Mine, Kingminer, Sandworm, Kaiji, Asnarok, LeetHozer, APT41, AESDDoS, Silex, Monero, HiddenWasp, Outlaw, Mirai, Korkerds, SpeakUp, Hakai, ChinaZ, Butter, SSHDoor, Miori, Torii, Gafgyt, Prowli, HNS, Wicked, OMG, JenX, VPNFilter, DDG, GoScanSSH, Owari, AES IoT Botnet, IOTroop, Hajime, PNScan, GoARM.Bot, KillFile, Mumblehard, Persirai, SHELLBIND, Hide N Seek, kworker, Ruby Cryptominer, XOR.DDoS, Moose, EternalMiner, Monero Miner, Erebus, Turla, Yangji, Tsunami, and Snakso.


[1] https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html

[2] https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/


Keep up to date with latest blog posts