• 07 November, 2020
• No Comments

RansomExx Ransomware Also Encrypts Linux Systems

With companies commonly using a mixed environment of Windows and Linux servers, ransomware operations have increasingly started to create Linux versions of their malware to ensure they encrypt all critical data.

A new report today by Kaspersky takes a look at the Linux version of the RansomExx ransomware, also known as Defray777.

RansomExx has been getting a lot of attention this week due to their ongoing attacks against Brazil’s government networks and previous attacks against the Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics, and Tyler Technologies.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

Linux version of RansomExx

According to Kaspersky, when targeting Linux servers, the RansomExx operators will deploy an ELF executable named ‘svc-new’ used to encrypt a victim’s server.

“After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX,” Kaspersky researchers stated in their report.

Embedded in the Linux executable are a public RSA-4096 encryption key, the ransom note, and an extension named after the customer that will be appended to all encrypted files.

Unlike the Windows version, Kaspersky states that the Linux version is a no-frills ransomware. It does not contain any code to terminate processes, including security software, does not wipe free space like the Windows version does, and does not communicate with a command and control server.

If a victim pays the ransom, they will receive both a Linux and Windows decryptor with the corresponding RSA-4096 private key and encrypted file extension embedded in the executable.

Also Read: Advisory Guidelines on Key Concepts in the PDPA: 23 Chapters

The Linux version is named ‘decryptor64’ and is a command-line driven decryptor, as shown below.

Fabian Wosar, the CTO of cybersecurity firm Emsisoft, told BleepingComputer that he first saw RansomExx utilizing a Linux version in attacks in July 2020, but may have been used earlier.

RansomExx is not the first ransomware to create Linux versions. In the past, Pysa (Menispoza), Snatch, and PureLocker have also distributed Linux variants.