RansomEXX Trojan attacks Linux systems
We a short while ago discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt details on machines managed by Linux-based mostly running systems.
Following the preliminary analysis we recognized similarities in the code of the Trojan, the textual content of the ransom notes and the typical solution to extortion, which advised that we had in point encountered a Linux establish of the beforehand recognised ransomware family RansomEXX. This malware is notorious for attacking massive companies and was most lively earlier this yr.
RansomEXX is a extremely specific Trojan. Each and every sample of the malware has a hardcoded identify of the sufferer group. Also, the two the encrypted file extension and the email deal with for speaking to the extortionists make use of the victim’s name.
Many firms have fallen victim to this malware in latest months, including the Texas Division of Transportation (TxDOT) and Konica Minolta.
Technical description
The sample we arrived throughout – aa1ddf0c8312349be614ff43e80a262f – is a 64-bit ELF executable. The Trojan implements its cryptographic plan utilizing features from the open-supply library mbedtls.
When introduced, the Trojan generates a 256-bit crucial and works by using it to encrypt all the data files belonging to the sufferer that it can reach utilizing the AES block cipher in ECB mode. The AES essential is encrypted by a community RSA-4096 crucial embedded in the Trojan’s human body and appended to every single encrypted file.
Moreover, the malware launches a thread that regenerates and re-encrypts the AES key each individual .18 seconds. Having said that, based mostly on an evaluation of the implementation, the keys basically only differ each next.
Apart from encrypting the files and leaving ransom notes, the sample has none of the extra features that other threat actors are likely to use in their Trojans: no C&C conversation, no termination of jogging processes, no anti-investigation methods, and so forth.
Fragment of the file encryption treatment pseudocode variable and purpose names are saved in the debug information and need to match the unique supply code
Curiously, the ELF binary consists of some debug facts, such as names of functions, global variables and resource code files utilised by the malware developers.
Original names of source data files embedded in the trojan’s human body
Execution log of the trojan in Kaspersky Linux Sandbox
Similarities with Windows builds of RansomEXX
Despite the truth that previously identified PE builds of RansomEXX use WinAPI (features particular to Home windows OS), the firm of the Trojan’s code and the strategy of working with particular features from the mbedtls library trace that equally ELF and PE could be derived from the very same resource code.
In the screenshot down below, we see a comparison of the procedures that encrypt the AES important. On the left is the ELF sample aa1ddf0c8312349be614ff43e80a262f on the right is the PE sample fcd21c6fca3b9378961aa1865bee7ecb made use of in the TxDOT attack.
Regardless of being crafted by distinctive compilers with different optimization alternatives and for different platforms, the similarity is really evident.
We also notice resemblances in the procedure that encrypts the file content, and in the in general layout of the code.
What’s far more, the textual content of the ransom notice is also pretty much the identical, with the name of the sufferer in the title and equivalent phrasing.
Parallels with a modern attack in Brazil
As described by the media, one particular of the country’s governing administration establishments has just been attacked by a qualified ransomware Trojan.
Centered on the ransom note, which is almost equivalent to the one in the sample we described, and the news post stated above, there is a large likelihood that the target is the sufferer of yet another variant of RansomEXX.
Ransom note from the sample aa1ddf0c8312349be614ff43e80a262f
Ransom note from the Bleeping Personal computer put up about the most modern attack in Brazil
Our products shield versus this menace and detect it as Trojan-Ransom.Linux.Ransomexx
Kaspersky Threat Attribution Motor identifies Ransomexx malware family
Indicators of compromise
Modern Linux model: aa1ddf0c8312349be614ff43e80a262f
Before Home windows model: fcd21c6fca3b9378961aa1865bee7ecb
