ransom attack

A ransomware for Linux variant of RansomEXX

Recently, Kaspersky discovered that a known gang deployed a file encryption Trojan for Linux.

Kaspersky Security Researcher pointed out: “This is a brand new file encryption Trojan, which is an ELF executable file that can encrypt data on Linux computers.”

The Trojan is similar to the existing RansomEXX Trojan, which was used last week to attack Brazilian courts and targets in the United States and other regions.

Kaspersky concluded: “The Trojan’s ransom note is very similar to RansomEXX, so it is likely to be a Linux variant of RansomEXX.”

The Linux variant of RansomEXX has almost no overlap with the functions of other families. For example, it does not include the callback function of the command and control server or the common anti-analysis “skills”, so this is a very pure and “basic” ransomware. Once deployed, the existence of the Linux Trojan is obvious to users and network administrators, because everything stopped working, and a pop-up prompt asking for ransom was displayed on the screen. Unless the attacker wants to extract encrypted data for secondary sales or blackmail, there is no need for obfuscation and callback functions.

“Basic” attacks are usually deployed by attackers who intrude into the network early. For example, in Finland in October, the clinical records of patients in psychotherapy clinics were stolen and posted online. Local reports show that the attacker had already accessed the clinic’s network before the medical data was leaked online.

Similarly, the criminal who inserted Magecart into the British Airways card payment page in 2018 has been lurking within the airline’s corporate network, only to be discovered after dumping a database that happened to contain unencrypted stored credit card details. The attacker’s breach was the weak password of the contractor’s user account, which in turn accessed the wider British Airways internal network.

frequently succeeds mainly because companies fail to regularly patch vulnerabilities, maintain good password hygiene and enable multi-factor authentication. As the cybersecurity agency Positive Technologies pointed out: “Most attacks are within the capabilities of medium hackers, and often only basic skills are required.”

IOCs

AA1DDF0C8312349BE614FF43E80A262F
91AD089F5259845141DFB10145271553AA711A2B
CB408D45762A628872FA782109E8FCFC3A5BF456074B007DE21E9331BB3C5849