Secp0 emerged in early 2025. Initially misunderstood as a group that withholds software vulnerabilities for ransom, it actually operates like a traditional ransomware.Secp0 delayed publications, citing a queue of companies and testing a software solution, believed to be the extortion platform World Leaks.Secp0 is an ELF binary for 64-bit architecture, developed in C/C++, using ChaCha20 encryption and ECDH key exchange.Secp0 based on its embedded encryption key.This article analyzes Secp0 ransomware, which emerged in early 2025 and was initially mischaracterized as a vulnerability disclosure extortion group. Our investigation confirms that Secp0 operates as conventional double-extortion ransomware, encrypting data while threatening public disclosure.
A technical analysis reveals an ELF binary targeting Linux systems, implementing ChaCha20 encryption with ECDH key exchange. The malware features configurable command-line options, embedded encrypted data, and an irrecoverable key structure preventing decryption without the attacker's cooperation.
This article provides actionable defenses including YARA detection rules based on hardcoded keys and detailed technical breakdowns.
In early 2025, a new ransomware group called Secp0 emerged, initially distinguishing itself with a novel extortion model that threatened to undermine conventional vulnerability disclosure practices. PRODAFT mentioned it in a tweet in March. Unlike traditional ransomware actors who encrypt files or leak stolen data, Secp0 allegedly identifies critical software vulnerabilities and demands payment to withhold their public disclosure. However, this understanding of Secp0 turned out to be false. Secp0 operates like many other ransomware groups, employing a double-extortion model where they encrypt victims' data and then threaten to expose it publicly.
Secp0 first appeared on the threat landscape in February 2025. By early March, cybersecurity researchers had begun publicly tracking and documenting the group's activities, with PRODAFT being among the first to alert the security community about Secp0's emergence. At this time, Secp0 had released a blog post about a flaw in Passwordstate, a software for password storage, where they explained it in detail and provided the files of the decompiled software. At that time, their strategy was misunderstood by analysts who thought they had a new extortion model that targeted solutions and then threatened to publicly disclose the vulnerabilities unless a ransom was paid. They made a blog post responding angrily to PRODAFT's tweet.

Also in March 2025, they claimed their first victim publicly, an IT service management company based in the United States. They claimed to have compromised over 900 accounts from the victim's network and encrypted Nutanix servers, Hyper-V servers, and NAS devices with backups. They threatened to publish all data, but until now, only a proof of compromise has been published.

In early May 2025, Secp0 claimed that their publications were on hold because they allegedly had a substantial queue of companies waiting for their data to be published and that their team was actively testing a software solution designed to streamline the publication of large datasets.

We believe that this software solution turned out to be the extortion platform World Leaks (which we discussed in a previous report). We assert with high confidence that the Secp0 ransomware was used on one of the victims claimed by World Leaks.
The Secp0 ransomware is identified as an ELF (Executable and Linkable Format) binary, specifically compiled for 64-bit architecture. It is developed using the C/C++ programming languages. Heuristic analysis indicates that the ransomware was compiled using GCC (GNU Compiler Collection) version 12.3.0 or Ubuntu clang version 14.0, on a system running Ubuntu Linux 22.04.

When executing, Secp0 ransomware can take ten arguments in its command line:
The ransomware was used like this by the threat actors:
./ran_64.elf --psw secp0 --fast --daemon --path [path]
As is typical with many programs, the execution of the ransomware begins with the main function. This function serves as the primary entry point and orchestrates the subsequent operations by invoking two critical functions: "prepare_encryption" and "recursive_opendir_n_encryption".

The "prepare_encryption" function makes sure that all the encryption requirements are satisfied:
The "recursive_opendir_n_encryption" function is designed to handle the core encryption operations and has the following primary responsibilities:
The ransomware binary contains embedded data essential for its operation. These data elements are encrypted to reduce the risk of detection by antivirus software.
The ransomware embeds several critical pieces of information necessary for its execution and functionality:
To decrypt these embedded data, the ransomware employs the ChaCha20 symmetric encryption algorithm. The encryption and decryption keys are hard-coded. The key and initialization vector (IV) used are as follows:
Key : 6162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80
Iv : 0001020304050607

The embedded key can be used to create detection rules for identifying the presence of the ransomware. A YARA rule based on this key is provided at the end of this report, which can be used by security teams to detect and mitigate the threat posed by this ransomware.
--psw Option

--sleep Option



--daemon Option
log.secp0.

--nomotd Option
--path Option

Other Options
The encryption process of the ransomware is initiated when the user specifies a directory using the --path option. The contents of this directory are listed, and each file, except for the ransom note "RESTORE-SERVER.txt", is sent as an argument to the encryption function. If a directory is encountered, the function recursively lists and encrypts its contents.

At the beginning of this process, the ransom note "RESTORE-SERVER.txt" is created in each directory.

The ransomware employs the ChaCha20 symmetric encryption algorithm for encrypting files. This means the same key is used for both encryption and decryption. The key is generated using the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol, specifically utilizing the secp256k1 elliptic curve. This protocol securely exchanges a shared key using a public-private key system.
1 - Session Key Pair Generation:
2 - File Key Pair Generation:
3 - Shared Key Calculation:

Before encrypting a file, the ransomware appends necessary information for decryption at the end of the file.

The appended data (177 bytes) includes:

The session private key, crucial for decryption when combined with the file public key, is encrypted. However, the file "private key" is missing, which means the file cannot be decrypted using only the appended information. The session private key is encrypted using the ChaCha20 algorithm, with the encryption key derived from a combination of the attacker's public key and a temporary private key generated by the ransomware. Since both the temporary private key and the attacker's private key are unknown, it is impossible to recreate the encryption key.
Here is an explanation of the encryption process of Secp0 ransomware:

| Indicators | Indicator type | Description |
|---|---|---|
| bbcf4469a0a849ec3c65bbf2ad188896f8d222b7f4e6e5b1c85747ae3ad95818 | sha256 | Secp0 ransomware binary |
| secp0-support[.]net | domain name | Secp0 Negociation Pannel |
| secp0-support[.]cfd | domain name | Secp0 Negociation Pannel |
| bhn2xz5jer2xeibxjzhgfp7qclttnbvkkvd4hvlmjbnz66jxq7yzn6ad[.]onion | onion address | Secp0 Negociation Pannel |
| 2a6w667vebiebciji7vm3vj43svegvozoqypttdgojzgdcbnfsu5wiid[.]onion | onion address | Secp0 Negociation Pannel |
| secponewsxgrlnirowclps2kllzaotaf5w2bsvktdnz4qhjr2jnwvvyd[.]onion | onion address | Secp0 Blog |
rule secp0 {
meta:
title = "SECP0 ransomware detection"
description = "match embedded ransomware note decryption key"
date = "2025-06-30"
author = "Lexfo"
os = "Linux, maybe Windows"
score = 90
strings:
$key = { 6162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F80 }
$iv = { 0001020304050607 }
$chacha1 = "expand 16-byte k"
$chacha2 = "expand 32-byte k"
condition:
all of them
}
======================================
What happened?
======================================
Greetings, [Victim].
Your network has been fully compromised, investigated, and over [Size] of data including the contents of your file servers and database dumps has been extracted. [Explanations]
If you fail to contact us, we will begin publishing this data on our blog and alerting relevant government authorities. A breach of this scale could result in lawsuits, substantial fines, and irreparable reputational damage. Consider how investors and stakeholders will react if this incident goes public.
Additionally, the data stores of your hosts have been encrypted using modern cryptographic algorithms. However, we are prepared to provide you with a decryption tool.
======================================
How to obtain the decryption tool?
======================================
To obtain the decryption tool and ensure the deletion of your data from our servers, you must make a payment. If you fail to contact us within three days or refuse to pay, we will have no choice but to begin publishing your data on our blog and notify all relevant parties, including your investors.
======================================
What should you do next?
======================================
Next, you need to contact us by following the links in the next section and discuss with us the terms for deleting data on our side and obtaining a decryption key for your servers that will satisfy both us and you.
Additionally, to confirm our words, we are ready to:
- provide you with a partial listing of the files that were uploaded (partial means no more
than 33% of the entire tree)
- provide you with several ANY files (up to 10MB each) from the provided file listing
======================================
How to contact us?
======================================
To get in touch with us, you can use the links below.
- https://secp0-support.net/xxxxxx
- https://secp0-support.cfd/xxxxxx
- http://bhn2xz5jer2xeibxjzhgfp7qclttnbvkkvd4hvlmjbnz66jxq7yzn6ad.onion/xxxxx
- http://2a6w667vebiebciji7vm3vj43svegvozoqypttdgojzgdcbnfsu5wiid.onion/xxxxx
To access the onion link, you'll need to download and install the Tor Browser
(https://www.torproject.org/download).
======================================
What guarantees are there?
======================================
As a guarantee, we can offer you our professionalism. We have breached your network, extracted data from it, and remained within it for months. Our business is built on keeping our promises. Otherwise, no one would work with us or pay us. Reputation drives payments.
To confirm that we were in your filestorages, servers, and your endpoints, you can view the listing and request any file from it as proof. Additionally, as a bonus, after payment, you will receive a detailed report on your network's security: how to improve it, how to prevent future breaches, what mistakes were made, and how to avoid such situations in the future. Similar reports cost hundreds of thousands when done by professional Red Teams. We are better than a Red Team — we are the ones security companies promise to protect you from. Our reports are even more valuable. And they come as a bonus with your payment, free of charge.
[Explanation]
---BELOW IS TECHNICAL INFORMATION REQUIRED FOR US TO PROVIDE YOU WITH DECRYPTION TOOL, DO NOT REDACT---
ID=[ID]
---FINISH---