Rclone identified as a malicious tool associated with ransomware samples.
3197
Created On 10/26/22 00:43 AM - Last Modified 09/03/25 01:20 AM
Symptom
Customers are creating cases requesting the detection and coverage of the IOCs (samples) listed in the CISA alert AA22-294A. These samples are files part of the Rclone tool recently being used in ransomware attacks.
Rclone Associated SHA256 Hashes
9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238 rclone-v1.59.2-windows-amd64\git-log.txt
19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD rclone-v1.59.2-windows-amd64\rclone.1
54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939 rclone-v1.59.2-windows-amd64\rclone.exe
EC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBF rclone-v1.59.2-windows-amd64\README.html
475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28 rclone-v1.59.2-windows-amd64\README.txtEnvironment
- Palo Alto Networks firewall
- Anti-virus
- Wildfire
- Threat Intelligence
Cause
- Rclone is an open source, multi threaded, command line computer program to manage or migrate content on cloud and other high latency storage.
- Its capabilities include sync, transfer, crypt, cache, union, compress and mount.
- The rclone website lists supported backends including S3, and Google Drive.
Resolution
- Rclone is not ransomware; it's a legitimate tool being abused as an exfiltration tool during a ransomware infection.
- Once the adversary controls the corporation network, Rclone is deployed to copy the sensitive data to a remote server.
- It has a legitimate use for data backup or data transfer. At this point, we are not considering IPS/IDS signatures to detect Rclone.
Additional Information
- We have introduced Rclone App-ID to identify traffic for this application. More information can be found in our Applipedia page
- We will also also keep Rclone as BENIGN in Wildfire since it is wildly used by IT among customers.