RansomEXX Trojan attacks Linux systems

RansomEXX Trojan attacks Linux systems

We a short while ago discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt details on machines managed by Linux-based mostly running systems.

Following the preliminary analysis we recognized similarities in the code of the Trojan, the textual content of the ransom notes and the typical solution to extortion, which advised that we had in point encountered a Linux establish of the beforehand recognised ransomware family RansomEXX. This malware is notorious for attacking massive companies and was most lively earlier this yr.

RansomEXX is a extremely specific Trojan. Each and every sample of the malware has a hardcoded identify of the sufferer group. Also, the two the encrypted file extension and the email deal with for speaking to the extortionists make use of the victim&#8217s name.

Many firms have fallen victim to this malware in latest months, including the Texas Division of Transportation (TxDOT) and Konica Minolta.

Technical description

The sample we arrived throughout – aa1ddf0c8312349be614ff43e80a262f – is a 64-bit ELF executable. The Trojan implements its cryptographic plan utilizing features from the open-supply library mbedtls.

When introduced, the Trojan generates a 256-bit crucial and works by using it to encrypt all the data files belonging to the sufferer that it can reach utilizing the AES block cipher in ECB mode. The AES essential is encrypted by a community RSA-4096 crucial embedded in the Trojan&#8217s human body and appended to every single encrypted file.

Moreover, the malware launches a thread that regenerates and re-encrypts the AES key each individual .18 seconds. Having said that, based mostly on an evaluation of the implementation, the keys basically only differ each next.

Apart from encrypting the files and leaving ransom notes, the sample has none of the extra features that other threat actors are likely to use in their Trojans: no C&#038C conversation, no termination of jogging processes, no anti-investigation methods, and so forth.

ransomexx trojan linux 01

Fragment of the file encryption treatment pseudocode variable and purpose names are saved in the debug information and need to match the unique supply code

Curiously, the ELF binary consists of some debug facts, such as names of functions, global variables and resource code files utilised by the malware developers.

ransomexx trojan linux 02

Original names of source data files embedded in the trojan&#8217s human body

ransomexx trojan linux 03

Execution log of the trojan in Kaspersky Linux Sandbox

Similarities with Windows builds of RansomEXX

Despite the truth that previously identified PE builds of RansomEXX use WinAPI (features particular to Home windows OS), the firm of the Trojan&#8217s code and the strategy of working with particular features from the mbedtls library trace that equally ELF and PE could be derived from the very same resource code.

In the screenshot down below, we see a comparison of the procedures that encrypt the AES important. On the left is the ELF sample aa1ddf0c8312349be614ff43e80a262f on the right is the PE sample fcd21c6fca3b9378961aa1865bee7ecb made use of in the TxDOT attack.

Regardless of being crafted by distinctive compilers with different optimization alternatives and for different platforms, the similarity is really evident.

ransomexx trojan linux 04

We also notice resemblances in the procedure that encrypts the file content, and in the in general layout of the code.

What&#8217s far more, the textual content of the ransom notice is also pretty much the identical, with the name of the sufferer in the title and equivalent phrasing.

Parallels with a modern attack in Brazil

As described by the media, one particular of the country&#8217s governing administration establishments has just been attacked by a qualified ransomware Trojan.

Centered on the ransom note, which is almost equivalent to the one in the sample we described, and the news post stated above, there is a large likelihood that the target is the sufferer of yet another variant of RansomEXX.

ransomexx trojan linux 05

Ransom note from the sample aa1ddf0c8312349be614ff43e80a262f

ransomexx trojan linux 06

Ransom note from the Bleeping Personal computer put up about the most modern attack in Brazil

Our products shield versus this menace and detect it as Trojan-Ransom.Linux.Ransomexx

ransomexx trojan linux 07

Kaspersky Threat Attribution Motor identifies Ransomexx malware family

Indicators of compromise

Modern Linux model: aa1ddf0c8312349be614ff43e80a262f
Before Home windows model: fcd21c6fca3b9378961aa1865bee7ecb

Picture and Write-up Source backlink

Read More on latest Security Updates

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: