In June 2025, a new ransomware family called 01flip emerged, targeting a select group of victims in the Asia-Pacific region, particularly organizations linked to critical infrastructure. Written entirely in Rust, 01flip supports both Windows and Linux systems, making it versatile for attackers. Researchers have tied this ransomware to a cluster of cybercrime activities labeled CL-CRI-1036. An alleged data leak from a victim appeared on dark web forums soon after the attacks, indicating the attackers are financially motivated and actively selling stolen data. The investigation revealed that attackers exploited older vulnerabilities in internet-facing applications to gain initial access, particularly targeting CVE-2019-11580. Once inside, they deployed a Linux version of Sliver, a framework for adversary emulation, and later distributed 01flip ransomware across multiple devices. The ransomware exhibits typical behavior, such as encrypting files with AES-128-CBC and RSA-2048, while also creating ransom notes in all writable directories. The filenames of encrypted files follow a specific format: `<ORIGINAL_FILENAME>.<UNIQUE_ID>.<0 or 1>.01flip`. 01flip employs various techniques to evade detection, including using low-level system calls and encoding user-defined strings within its code. While these methods help it blend in with normal operating system activity, the ransomware is still relatively easy to detect in a sandbox environment. Notably, it includes a simple anti-sandbox measure by checking if the filename contains "01flip" before proceeding with file encryption. Overall, the early-stage deployment of 01flip indicates a growing trend in ransomware development, particularly with the use of Rust for such operations.