A new ransomware strain known as 01flip, written in Rust, has begun appearing with increasing frequency in attacks against organizations across the Asia-Pacific region. According to Palo Alto Networks’ Unit 42, the activity has so far affected a limited number of targets, but notably includes entities linked to critical infrastructure in Southeast Asia.
The researchers are tracking the campaign under the designation CL-CRI-1036 and assess the threat actors as financially motivated, relying largely on hands-on operations rather than full automation. In one instance, shortly after an intrusion, a message surfaced on a dark web forum threatening the potential publication of the victim’s data. Separately, a post on a specialized forum attributes a breach to the compromise of a Zimbra server, suggesting a possible point of entry.
Initial access is believed to have begun with attempts to exploit legacy vulnerabilities, including CVE-2019-11580, in internet-facing applications. The attackers then deployed a Linux version of Sliver—a cross-platform framework commonly used for command-and-control and lateral movement within compromised environments. Subsequently, 01flip spread across the infrastructure and was executed on both Windows and Linux systems, although the precise mechanism behind its broader deployment remains unclear.
The core functionality of 01flip is characteristic of ransomware, though its implementation in Rust significantly complicates static and dynamic analysis. The malware enumerates available drives, drops ransom notes into writable directories, encrypts files using AES-128-CBC, secures the encryption keys with RSA-2048, appends the .01flip extension to affected data, and attempts to erase traces of its activity.
To evade detection, the malware employs low-level system calls and string obfuscation. In several samples, analysts also observed a rudimentary sandbox check: if a specific file name is detected, the encryption routine is skipped.
In documented cases, the ransom demand was set at one bitcoin—approximately $90,000 at the time of reporting. Thus far, the campaign lacks the dual-extortion infrastructure commonly associated with larger ransomware operations. An intriguing detail is the presence of the string “lockbit” within the list of excluded file extensions, hinting at a possible overlap with the LockBit ecosystem; however, no further evidence has emerged to substantiate a direct connection.
