RansomEXX Ransomware Can Now Target Linux SystemsKaspersky: Malware Goes Beyond Windows Devices
Researchers at Kaspersky have uncovered a Linux version of RansomEXX ransomware that, until now, had targeted only Windows devices.
RansomEXX was first spotted by security researchers in June. The ransomware has been tied to recent attacks that targeted the Texas Department of Transportation and Konica Minolta, according to the Kaspersky report.
The security firm also reports that a ransom note used in an attack on Brazil's court system earlier this month was similar to messages used by the RansomEXX operators to communicate with victims.
The recent discovery of a file-encrypting Trojan built using an executable Linux file shows the operators behind the RansomEXX ransomware have expanded beyond targeting Windows devices, according to the report.
"After the initial analysis, we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX," Kaspersky analysts Fedor Sinitsyn and Vladimir Kuskov note in the report. "This malware is notorious for attacking large organizations and was most active earlier this year."
Brett Callow, a threat analyst with security firm Emsisoft, says his company's research finds that the Linux version of RansomEXX might have started circulating as early as July, when the malware was first discovered. Other ransomware operators are also attempting to port their malware to Linux, he adds.
"Linux ports are likely to become increasingly common," Callow tells Information Security Media Group. "The more of a company's infrastructure the attackers are able to encrypt, the more likely it is that the company will be forced to pay."
Once deployed, the Linux version of the RansomEXX generates a 256-bit key and uses it to encrypt all the files belonging to the targeted victim that it can reach using the AES block cipher.
"Additionally, the malware launches a thread that regenerates and re-encrypts the AES key every 0.18 seconds," according to the report. "However, based on an analysis of the implementation, the keys actually only differ every second."
The Linux version of RansomEXX contains the hardcoded name of the targeted organization as well as an encrypted file extension and email address for contacting the operators, the report states.
And while the Linux version of this ransomware can encrypt files and send a ransom note to the intended victim, the Kaspersky report notes that the Trojan did not have the ability to connect to a command-and-control server or deploy anti-security tools to avoid detection.
The analysis notes there are several similarities between the Windows version and the Linux version of RansomEXX, which appears to show that both were derived from the same source code.
"We also observe resemblances in the procedure that encrypts the file content, and in the overall layout of the code," Sinitsyn and Kuskov say in the report. "What’s more, the text of the ransom note is also practically the same, with the name of the victim in the title and equivalent phrasing."
Security researchers have been encountering more versions of crypto-locking malware and Trojans that target Linux.
In June, for example, BlackBerry and KPMG's United Kingdom Cyber Response Services released a report on Tycoon, which is designed to target both Windows and Linux (see: Report: Tycoon Ransomware Targets Windows, Linux Systems).
Earlier this month, security firm Coveware found that, from July through September, the average ransom payment after a ransomware attack was $233,817 - an increase of 31% compared to the previous quarter (see: Data-Exfiltrating Ransomware Gangs Pedal False Promises ).
The Coveware report also noted that ransomware operators continue to use stolen or brute-forced remote desktop protocol credentials to gain remote access to victims' networks.