A version of RansomEXX for Linux was detected

Researchers of Kaspersky Lab have identified a Linux version dransomware malware "RansomEXX".

Initially, RansomEXX was distributed only on the Windows platform and became famous due to several major incidents with the defeat of the systems of various government agencies and companies, including the Texas Department of Transportation and Konica Minolta.

About RansomEXX

RansomEXX encrypts data on disk and then requires ransom to get the decryption key. 

Encryption is organized using the library mbedtls de Open Source. Once launched, the malware generates a 256-bit key and uses it to encrypt all available files using AES block encryption in ECB mode. 

After that, a new AES key is generated every second, that is, different files are encrypted with different AES keys.

Each AES key is encrypted using a RSA-4096 public key embedded in malware code and is attached to every encrypted file. For decryption, the ransomware offers to buy a private key from them.

A special feature of RansomEXX is the use in targeted attacks, during which attackers gain access to one of the systems on the network through compromise of vulnerabilities or social engineering methods, after which they attack other systems and deploy a specially assembled variant of malware for each attacked infrastructure, including the name of the company and each of the different contact details.

Initially, during the attack on corporate networks, the attackers they tried to take control as many workstations as possible to install malware on them, but this strategy turned out to be incorrect and in many cases systems were simply reinstalled using a backup without paying the ransom. 

Now cybercriminals' strategy has changed y their goal was to primarily defeat corporate server systems and especially to centralized storage systems, including those running Linux.

So it would not be surprising to see that RansomEXX traders have made it a defining trend in the industry; Other ransomware operators may also deploy versions of Linux in the future.

Recently, we discovered a new file encryption Trojan created as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems.

After initial analysis, we noticed similarities in the Trojan's code, the text of the ransom notes, and the overall approach to extortion, suggesting that we had indeed found a Linux build of the previously known RansomEXX family of ransomware. This malware is known to attack large organizations and was most active earlier this year.

RansomEXX is a very specific Trojan. Each malware sample contains a hardcoded name of the victim organization. In addition, both the extension of the encrypted file and the email address to contact the extortionists use the name of the victim.

And this movement seems to have already started. According to the cybersecurity firm Emsisoft, in addition to RansomEXX, the operators behind the Mespinoza (Pysa) ransomware have also recently developed a Linux variant starting from their initial version of Windows. According to Emsisoft, the RansomEXX Linux variants they discovered were first deployed in July.

This is not the first time that malware operators have considered developing a Linux version of their malware.

For example, we can cite the case of the KillDisk malware, which had been used to paralyze a power grid in Ukraine in 2015.

This variant made "Linux machines impossible to boot, after having encrypted the files and demanding a large ransom." It had a version for Windows and a version for Linux, "which is definitely something we don't see every day," the ESET researchers noted.

Finally, if you want to know more about it, you can check the details of the Kaspersky publication In the following link.