01flip Ransomware Strikes APAC Critical Infrastructure—Rust-Based Attacks Escalate
Executive Summary
In June 2025, a financially motivated cybercrime group tracked as CL-CRI-1036 launched targeted ransomware attacks using a new cross-platform strain called 01flip—written in Rust—against select organizations in the Asia-Pacific region. Initial access appears to have been gained by exploiting known vulnerabilities in internet-facing applications, including CVE-2019-11580, followed by lateral movement and mass deployment of ransomware payloads across Windows and Linux systems. The attackers demanded payment in Bitcoin and posted evidence of stolen data on dark web forums, impacting at least one critical infrastructure operator and resulting in operational disruption and data exposure.
This incident highlights the rapid evolution of ransomware, with threat actors increasingly adopting modern development languages for advanced evasion. The emergence of 01flip demonstrates the ongoing risk posed by zero-day exploitation, inadequate segmentation, and cross-platform malware, underscoring the need for organizations to prioritize proactive threat detection and incident response capabilities.
Why This Matters Now
The 01flip campaign exemplifies a new wave of multi-platform ransomware leveraging modern programming languages and hands-on intrusion techniques to bypass traditional security controls. Rapid adoption of such tools by cybercriminals means organizations must urgently update prevention and detection measures, especially amid heightened ransomware activity and increasing regulatory scrutiny.
Attack Path Analysis
Attackers exploited a public-facing vulnerability to gain initial access, followed by deploying Sliver Beacon for persistence and possible privilege escalation. Using Sliver, they performed internal reconnaissance and laterally moved to additional Linux hosts. The adversary established command and control with TCP pivots and Sliver implants, enabling remote hands-on activity. Although the ransomware itself did not exfiltrate data, credential dumping and access abuse potentially led to data leaks. The 01flip ransomware was widely deployed, resulting in mass encryption and operational disruption.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited an internet-facing application (likely via CVE-2019-11580) to gain unauthorized entry to the target environment.
Related CVEs
CVE-2019-11580
CVSS 9.8A misconfiguration in Atlassian Crowd and Crowd Data Center allows unauthenticated attackers to install arbitrary plugins, leading to remote code execution.
Affected Products:
Atlassian Crowd – 2.1.0 to 3.0.4, 3.1.0 to 3.1.5, 3.2.0 to 3.2.7, 3.3.0 to 3.3.4, 3.4.0 to 3.4.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Valid Accounts
Brute Force
Remote Services
Data Encrypted for Impact
Indicator Removal on Host
System Information Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Authentication and Access Controls
Control ID: 8.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – Protection and Prevention of ICT-related Incidents
Control ID: Art. 9(2)
CISA Zero Trust Maturity Model 2.0 – Enforce Least Privilege and Identity Assurance
Control ID: Identity Pillar: Access Management
NIS2 Directive – Risk Analysis and Security Policies
Control ID: Art. 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Multi-platform 01flip ransomware targets IT infrastructure with Rust-based encryption, exploiting vulnerabilities like CVE-2019-11580 affecting enterprise systems and cloud environments.
Financial Services
Ransomware's Bitcoin demands and data exfiltration capabilities threaten financial institutions' compliance requirements, particularly impacting encrypted traffic and zero trust implementations.
Health Care / Life Sciences
Healthcare organizations face HIPAA compliance violations from 01flip's data encryption and potential exfiltration, especially targeting Zimbra servers and critical infrastructure systems.
Government Administration
Government entities in Asia-Pacific region face heightened risk from 01flip's multi-platform capabilities targeting critical infrastructure with advanced evasion techniques.
Sources
- 01flip: Multi-Platform Ransomware Written in Rusthttps://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/Verified
- CVE-2019-11580 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2019-11580Verified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalogVerified
- Atlassian Crowd Security Advisoryhttps://jira.atlassian.com/browse/CWD-5388Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls such as network segmentation, egress enforcement, encrypted traffic inspection, and threat detection would have reduced initial exposure, hampered lateral movement, and limited ransomware spread or data leakage within the environment. Applying CNSF-aligned capabilities across hybrid and multi-cloud infrastructure layers disrupts attacker workflows and detects abnormal behaviors early in the kill chain.
Control: Cloud Firewall (ACF)
Mitigation: Malicious inbound exploits would be blocked at the perimeter.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious privilege escalation and credential dumping activity are detected rapidly.
Control: Zero Trust Segmentation
Mitigation: Lateral movement pathways are minimized or blocked entirely.
Control: Inline IPS (Suricata)
Mitigation: Known C2 traffic or threat signatures are detected and blocked in real-time.
Control: Egress Security & Policy Enforcement
Mitigation: Unapproved outbound connections are detected and prevented.
Rapid ransomware propagation is identified and contained.
Impact at a Glance
Affected Business Functions
- Email Communications
- File Storage
- User Authentication
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive user credentials and internal communications due to unauthorized access and data encryption by ransomware.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce strict zero trust segmentation and microsegmentation across all cloud and on-prem workloads to prevent lateral movement by malware or tools like Sliver.
- • Deploy cloud-native firewalls and tightly restrict inbound and outbound connectivity to minimize attack surface and block exploitation attempts.
- • Implement real-time inline IDS/IPS (e.g., Suricata) with threat signature updates to detect and disrupt malicious command-and-control and exploitation activity.
- • Continuously monitor internal traffic (east-west) for anomalous patterns, including credential access and ransomware propagation, and automate alerting/response.
- • Apply robust egress filtering and outbound policy enforcement to detect and block potential data exfiltration and reduce ransomware aftermath risks.
