Frag Ransomware: Analysis and Mitigation Techniques

By /

Listen to this Post

The online storefront of the ransomware brand Frag was indexed by ransomware.live and others around March 24th, but its activity dates back to at least October 2024. Key findings include:

  1. Initial Activity: The ransomware’s announcement post is dated February 11, with data leaks appearing as early as February 19, 2025.
  2. Multi-Platform Attacks: Frag has encryptors for Windows, Linux, and ESXi, with features like partial encryption (1-100%), recursive directory targeting, and self-deletion.
  3. Threat Actors: At least 2-3 groups are involved, leaking data in RAR and 7zip formats.
  4. Victim Timeline: Some attacks occurred as early as October 2024, with a sample from November 2024 (SHA-1: af18edd87d9159362b53349f85b858975919fc56).

You Should Know: Detection and Mitigation

1. Detect Frag Ransomware Artifacts

  • Windows: 
    Get-ChildItem -Path C:\ -Recurse -Force -ErrorAction SilentlyContinue | Where-Object { $_.Name -match "Frag_encryptor|Frag_readme" }
  • Linux/ESXi: 
    find / -name "Frag" -type f 2>/dev/null

2. Analyze Suspicious Processes

  • Windows: 
    tasklist /svc | findstr /i "encrypt|Frag"
  • Linux: 
    ps aux | grep -E "encrypt|Frag"

3. Check for Unusual Network Traffic

  • Windows/Linux: 
    netstat -ano | grep ESTABLISHED  Windows: netstat -ano
  • ESXi: 
    esxcli network connection list | grep -v "vmware"

4. Disable Vulnerable Services

  • ESXi: Restrict SSH/WBEM: 
    esxcli system ssh set --enabled=false
esxcli network firewall ruleset set --ruleset-id=wbem --enabled=false

5. Restore from Backups

  • Verify Backups: Ensure backups are air-gapped and immutable.
  • Linux/ESXi: Test restore: 
    tar -xvzf /backup/latest.tar.gz -C /verify_restore

What Undercode Say

Frag’s multi-platform capability and stealthy deployment (e.g., partial encryption) make it a high-risk threat. Key takeaways:
– Monitor file creation dates (stat on Linux, `Get-ItemProperty` on Windows).
– Isolate ESXi hosts from unnecessary network access.
– Log Aggregation: Use SIEM tools to detect `encrypt` process spawns.
– Patch VMware ESXi (CVE-2024-XXXX).

Expected Output:

Frag_encryptor.exe detected in C:\Temp. 
ESXi host 192.168.1.10: Suspicious process "Frag_linux" (PID 4412).

Relevant URLs:

References:

Reported By: Valerymarchive Ransomware – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: