Fraud Management & Cybercrime , Fraud Risk Management , Ransomware

RansomEXX Ransomware Can Now Target Linux Systems

Kaspersky: Malware Goes Beyond Windows Devices
RansomEXX Ransomware Can Now Target Linux Systems
A RansomEXX ransom note (Source: Kaspersky)

Researchers at Kaspersky have uncovered a Linux version of RansomEXX ransomware that, until now, had targeted only Windows devices.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

RansomEXX was first spotted by security researchers in June. The ransomware has been tied to recent attacks that targeted the Texas Department of Transportation and Konica Minolta, according to the Kaspersky report.

The security firm also reports that a ransom note used in an attack on Brazil's court system earlier this month was similar to messages used by the RansomEXX operators to communicate with victims.

The recent discovery of a file-encrypting Trojan built using an executable Linux file shows the operators behind the RansomEXX ransomware have expanded beyond targeting Windows devices, according to the report.

"After the initial analysis, we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX," Kaspersky analysts Fedor Sinitsyn and Vladimir Kuskov note in the report. "This malware is notorious for attacking large organizations and was most active earlier this year."

Brett Callow, a threat analyst with security firm Emsisoft, says his company's research finds that the Linux version of RansomEXX might have started circulating as early as July, when the malware was first discovered. Other ransomware operators are also attempting to port their malware to Linux, he adds.

"Linux ports are likely to become increasingly common," Callow tells Information Security Media Group. "The more of a company's infrastructure the attackers are able to encrypt, the more likely it is that the company will be forced to pay."

Targeting Linux

Once deployed, the Linux version of the RansomEXX generates a 256-bit key and uses it to encrypt all the files belonging to the targeted victim that it can reach using the AES block cipher.

"Additionally, the malware launches a thread that regenerates and re-encrypts the AES key every 0.18 seconds," according to the report. "However, based on an analysis of the implementation, the keys actually only differ every second."

The Linux version of RansomEXX contains the hardcoded name of the targeted organization as well as an encrypted file extension and email address for contacting the operators, the report states.

And while the Linux version of this ransomware can encrypt files and send a ransom note to the intended victim, the Kaspersky report notes that the Trojan did not have the ability to connect to a command-and-control server or deploy anti-security tools to avoid detection.

The analysis notes there are several similarities between the Windows version and the Linux version of RansomEXX, which appears to show that both were derived from the same source code.

"We also observe resemblances in the procedure that encrypts the file content, and in the overall layout of the code," Sinitsyn and Kuskov say in the report. "What’s more, the text of the ransom note is also practically the same, with the name of the victim in the title and equivalent phrasing."

Linux Ransomware

Security researchers have been encountering more versions of crypto-locking malware and Trojans that target Linux.

In June, for example, BlackBerry and KPMG's United Kingdom Cyber Response Services released a report on Tycoon, which is designed to target both Windows and Linux (see: Report: Tycoon Ransomware Targets Windows, Linux Systems).

Earlier this month, security firm Coveware found that, from July through September, the average ransom payment after a ransomware attack was $233,817 - an increase of 31% compared to the previous quarter (see: Data-Exfiltrating Ransomware Gangs Pedal False Promises ).

The Coveware report also noted that ransomware operators continue to use stolen or brute-forced remote desktop protocol credentials to gain remote access to victims' networks.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.