Security company Kaspersky has discovered a Linux version of RansomEXX ransomware. This is the first time a large amount of Windows ransomware has been ported to Linux to aid intruders.

We recently discovered a new file encryption Trojan, created as an ELF executable, designed to encrypt data on computers controlled by Linux-based operating systems.

After the initial analysis, we found similarities in the Trojan code, the text of the Ranon notes, and the general approach to blackmail, suggesting that we had indeed come across a Linux version of the family. RansomEXX ransomware. This malware is known to target large companies and was most active earlier in the year.

RansomEXX is a targeted attack Trojan horse. Each malware sample includes a hard-coded name of the victim organization. Additionally, the encrypted file extension and email address will use the victim’s name to contact blackmailers.

The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, US government contractor Tyler Technologies, the Montreal transit system and, more recently, the Brazilian judiciary (STJ).

RansomEXX is one of the targets aimed at big goals that want to make big profits as some companies or government agencies cannot afford to stand still while they restore their systems. In late 2019, the FBI released a ransomware message of public concern to alert the public to the ever-increasing number of attacks on businesses and organizations in the United States.

Ransomware attacks are becoming increasingly targeted, sophisticated, and expensive, although the overall frequency of attacks remains constant. Since the beginning of 2018, the frequency of large-scale and indiscriminate ransomware campaigns has decreased significantly, but the losses from ransomware attacks have increased significantly, according to complaints from IC3 [Internet Crime Complaint Center] and information on the FBI cases.

The FBI has observed cyber criminals using the following techniques to infect victims with ransomware:

Email phishing campaigns: The cybercriminal sends an email containing a malicious file or link that provides malicious software when the recipient clicks it. Cyber ​​criminals have traditionally used generic and generic spam strategies to deliver their malware, while recent ransomware campaigns have been more targeted. Criminals can also compromise a victim’s email account by using legacy malware that allows the cybercriminal to use a victim’s email account to further spread the infection. Vulnerabilities in Remote Desktop Protocol: RDP is a proprietary network protocol that allows individuals to control a computer’s resources and data over the Internet. Cyber ​​criminals both used brute force, an attempt-based technique, to obtain user credentials. They also used credentials purchased in darknet markets to gain unauthorized RDP access to affected systems. Once they have RDP access, criminals can deploy a variety of malware, including ransomware, on affected systems. Software Vulnerabilities: Cyber ​​criminals can exploit vulnerabilities in widely used software programs to take control of system victims and deploy ransomware. For example, cyber criminals recently exploited the vulnerabilities of two remote administration tools used by managed service providers (MSPs) to deploy ransomware on the customer networks of at least three MSPs.

CrowdStrike, a cybersecurity technology company, found that the number of ransomware attacks on big game had increased significantly. As long as they know their victims are downtime sensitive, they are more likely to pay a ransom regardless of the cost of that ransom. Some likely targets are:

Manufacturing Healthcare Companies Managed Services Government Agencies

They tend to look for industries that depend on their information technology.

However, over the past year there has been a paradigm shift in the way these operators work. Many of them have realized that attacking workstations first is not a lucrative business, as companies tend to use backup images of affected systems in order not to pay the price.

In the past few months, some ransomware operators have not bothered to encrypt workstations on numerous incidents and have primarily targeted critical servers within the corporate network knowing they are. If companies attack these systems first, they will not be able to access their data.

The fact that RansomEXX operators are creating a Linux version of Windows ransomware is consistent with this view, as many companies may have internal systems running on Linux rather than always on Windows Server. From an attacker’s point of view, a Linux version makes perfect sense as it always tries to expand and touch as many basic infrastructures as possible in order to paralyze businesses and demand higher ransom demands.

So it wouldn’t be surprising to see what the operators of RansomEXX have made a defining trend in the industry. Other ransomware operators may also provide versions of Linux in the future.

And this movement seems to have already started. According to the cybersecurity company Emsisoft, the operators of the ransomware Mespinoza (Pysa) recently developed a Linux variant from the original Windows version in addition to RansomEXX. According to Emsisoft, the discovered RansomEXX Linux variants were first made available in July.

This isn’t the first time malware operators have considered developing a Linux version of their malware. For example, we can cite the case of the KillDisk malware that paralyzed an electrical network in Ukraine in 2015. This variant made it impossible to boot Linux computers after files were encrypted and a high ransom was requested. There was both a Windows and a Linux version, which we definitely don’t see every day, the ESET researchers found.

Source: Kaspersky, FBI