Linux version of RansomEXX ransomware discovered

[steven36]

This marks the first time a major Windows ransomware strain has been ported to Linux to aid hackers in their targeted intrusions.

 

 

Security firm Kaspersky said today that it discovered a Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.

 

RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June.

 

The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, US government contractor Tyler Technologies, Montreal's public transportation system, and, most recently, against Brazil's court system (STJ).

 

RansomEXX is what security researchers call a "big-game hunter" or "human-operated ransomware." These two terms are used to describe ransomware groups that hunt large targets in search for big paydays, knowing that some companies or government agencies can't afford to stay down while they recover their systems.

 

These groups buy access or breach networks themselves, expand access to as many systems as possible, and then manually deploy their ransomware binary as a final payload to cripple as much of the target's infrastructure as possible.

 

But over the past year, there has been a paradigm shift into how these groups operate.

 

Many ransomware gangs have realized that attacking workstations first isn't a lucrative deal, as companies will tend to re-image affected systems and move on without paying ransoms.

 

In recent months, in many incidents, some ransomware gangs haven't bothered encrypting workstations, and have first and foremost, targeted crucial servers inside a company's network, knowing that by taking down these systems first, companies wouldn't be able to access their centralized data troves, even if workstations were unaffected.

 

The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with many firms running internal systems on Linux, and not always on Windows Server.

 

A Linux version makes perfect sense from an attacker's perspective; always looking to expand and touch as much core infrastructure as possible in their quest to cripple companies and demand higher ransoms.

 

What we see from RansomEXX may soon turn out to be an industry-defining trend, with other big ransomware groups rolling out their Linux versions in the future as well.

 

And, this trend appears to have already begun. According to cyber-security firm Emsisoft, besides RansomEXX, the Mespinoza (Pysa) ransomware gang has also recently developed a Linux variant from their initial Windows version.

 

But Linux ransomware is also not unique. In the past years, other ransomware gangs have created Linux ransomware strains as well, such as the Snatch group. However, those groups were small-time operations that relied on spam campaigns to infect victims, were rarely successful, and did not engage in targeted intrusions like the current generation of ransomware groups we see today.

 

Emsisoft says the RansomEXX Linux variants they've detected were seen as far back as July. Configuring systems to detect RansomEXX Linux variants isn't a solid strategy because of the way big-game hunter ransomware crews operate. By the time attackers deploy the ransomware, they already own most of a company's network. The best strategy companies can take against these types of intrusions is to secure network perimeters by applying security patches to gateway devices and by making sure they are not misconfigured with weak or default credentials.

 

Technical details about the RansomEXX Linux variant are available in the Kaspersky report.

 

Source

 

 

 

[aum]

Researchers describe RansomEXX ransomware as a big-game hunter or human-operated ransomware as it hunts targeted victims in the search of big paydays. Recently, the RansomEXX ransomware has been ported to Linux to further aid hackers in their targeted intrusions.

 

Linux version of RansomExx

The Linux version of the RansomExx ransomware, named as decryptor64, was discovered by Kaspersky researchers recently. They have released a report detailing the similarities and differences between the Windows and Linux versions.

• Despite being built by different compilers with different optimization options and for different platforms, it is believed that both ELF and PE executables may be derived from the same source code.
• Even the text of the ransom notes and the general approach to extortion are the same for both Linux and Windows versions. Moreover, both the encrypted file extension and the email address for contacting back to the attacker make use of the victim’s name.
• According to the report, the found sample doesn’t terminate running processes, has no C&C server communication and anti-analysis tricks.

 

Windows version of RansomExx

Several companies have fallen victim to RansomEXX’s Windows version in recent months.

• Recently, Brazil's Superior Court of Justice’s IT network suffered a RansomExx ransomware attack.
• In the last month, RansomExx hit the Montreal Transit Company public transport system, causing a major failure on various platforms. 
• In September, the ransomware had targeted Tyler Technologies and disrupted its operations. To receive the decryption key and recover the encrypted files, Tylor Technologies paid the ransom in October.

 

Summing up

Starting with a low infection rate, RansomEXX ransomware has become a lot more active in targeting high-profile organizations. Its operators can launch attacks against both Windows and Linux servers, making this malware a deadlier threat. Experts recommend installing antivirus software for precautionary measures and creating backups to prevent data loss.

 

Source

[mp68terr]

Rather a bad news; for some users moving from win to the linux world also means moving to a world with less risks to get infected. The patches are coming fast though.

[Karlston]

Similar topics merged.

 

Please use Search before posting, thanks.

[x3r0]

Well, good luck infesting Linux world. Most of the security problem of ransomware caused by the weak link which the human who operates it. Most Linux admin server aren't that sloppy as Windows one. Not to mention the users too.