- November 7, 2020
- Posted by: administrator
- Category: Linux, Ransomware
With companies commonly using a mixed environment of Windows and Linux servers, ransomware operations have increasingly started to create Linux versions of their malware to ensure they encrypt all critical data.
A new report today by Kaspersky takes a look at the Linux version of the RansomExx ransomware, also known as Defray777.
RansomExx has been getting a lot of attention this week due to their ongoing attacks against Brazil’s government networks and previous attacks against the Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics, and Tyler Technologies.
Linux version of RansomExx
According to Kaspersky, when targeting Linux servers, the RansomExx operators will deploy an ELF executable named ‘svc-new’ used to encrypt a victim’s server.
“After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX,” Kaspersky researchers stated in their report.
Embedded in the Linux executable are a public RSA-4096 encryption key, the ransom note, and an extension named after the customer that will be appended to all encrypted files.
Unlike the Windows version, Kaspersky states that the Linux version is a no-frills ransomware. It does not contain any code to terminate processes, including security software, does not wipe free space like the Windows version does, and does not communicate with a command and control server.
If a victim pays the ransom, they will receive both a Linux and Windows decryptor with the corresponding RSA-4096 private key and encrypted file extension embedded in the executable.
The Linux version is named ‘decryptor64’ and is a command-line driven decryptor.
Fabian Wosar, the CTO of cybersecurity firm Emsisoft, told BleepingComputer that he first saw RansomExx utilizing a Linux version in attacks in July 2020, but may have been used earlier.
RansomExx is not the first ransomware to create Linux versions. In the past, Pysa (Menispoza), Snatch, and PureLocker have also distributed Linux variants.
NOTE:: This article is copyright by bleepingcomputer.com and we are using it for educational or Information purpose only