Skip to content

Redis servers were attacked with a novel ransomware module

  • by
  • 3 min read

Photo: WhataWin/

A Rust-based malware dubbed P2Pinfect, under constant surveillance by security researchers, has been found deploying a new ransomware module and crypto miner on Redis servers. The malware appeared to be a dormant botnet but has since amped up activity with evidence suggesting a botnet-for-hire model. However, conflicting information about the malware’s actions means researchers can’t draw concrete conclusions yet.

P2Pinfect was first discovered in July 2023 by Unit 42 researchers, targeting Redis servers using known vulnerabilities. Security researchers from Cado Security did a follow-up investigation that revealed the malware was using a Redis replication feature to spread between servers, increasing its activity to thousands of breach attempts weekly between August and September 2023.

Ransom note left behind by the new ransomware module. | Source: Cado Security

A new variant of P2Pinfect was discovered in December, and now Cado Security researchers have discovered that the malware has evolved to deploy a new ransomware module and a previously dormant Monero crypto minter. Starting May 16, 2024, systems infected with P2Pinfect received a command to download and run the new ransomware payload from a provided URL. This command is valid until December 17, 2024.

The ransomware isn’t anything special in terms of design and function. On execution, it checks for the existence of a ransom note to avoid re-encrypting already-breached systems. If no note is found, the ransomware targets databases, documents, and media files by appending the ‘.encrypted’ extension to the target files. It then goes through all available directories, encrypts files, and keeps a locked database in another temporary file.

Since Redis is generally deployed in memory, there’s little more to encrypt than configuration files. However, the ransomware module can still be quite a headache for the system owner, as the encrypting process is limited to the compromised Redis user and any files accessible to them.

The crypto mining module starts five minutes after the ransomware module and surprisingly uses all available computing power to mine Monero. In some cases, this can even affect the ransomware module. Cado researchers report that the miner has made 71 XMR from the examined samples, translating to about $10,000. However, there’s a chance the actual number may be higher as the attackers might be using multiple wallet addresses.

Wallet details for P2Pinfect’s crypto mining module. | Source: Cado Security

Last, a new user-mode rootkit lets the malware hide its malicious processes, data access events, file operations, and even network operations from security tools. Again, its effectiveness is limited by the usual Redis in-memory deployment. Regardless, P2Pinfect may have felt like an experiment, but the malware can pose a serious threat to affected systems and should be dealt with cautiously.

In the News: Cybercriminals use new attack method which exploits MMC Files

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: