[LINK] Linux version of RansomEXX ransomware discovered

Kim Holburn kim at holburn.net
Mon Nov 9 09:19:40 AEDT 2020


> Linux version of RansomEXX ransomware discovered
> This marks the first time a major Windows ransomware strain has been ported to Linux to aid hackers in their targeted intrusions.
> Security firm Kaspersky said today that it discovered a Linux version of the RansomEXX ransomware, marking the first time a major 
> Windows ransomware strain has been ported to Linux to aid in targeted intrusions.
> RansomEXX <https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx> is a relatively new ransomware strain that was first 
> spotted earlier this year in June.
> The ransomware has been used in attacks against the Texas Department of Transportation 
> <https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/>, Konica Minolta 
> <https://www.bleepingcomputer.com/news/security/business-technology-giant-konica-minolta-hit-by-new-ransomware/>, US government 
> contractor Tyler Technologies 
> <https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/>, Montreal's 
> public transportation system 
> <https://www.bleepingcomputer.com/news/security/montreals-stm-public-transport-system-hit-by-ransomware-attack/>, and, most 
> recently, against Brazil's court system (STJ) <https://twitter.com/driwaldorf/status/1324434369218519040>.
> RansomEXX is what security researchers call a "*big-game hunter*" or "*human-operated ransomware*." These two terms are used to 
> describe ransomware groups that hunt large targets in search for big paydays, knowing that some companies or government agencies 
> can't afford to stay down while they recover their systems.
> These groups buy access or breach networks themselves, expand access to as many systems as possible, and then manually deploy 
> their ransomware binary as a final payload to cripple as much of the target's infrastructure as possible.
> But over the past year, there has been a paradigm shift into how these groups operate.
> Many ransomware gangs have realized that attacking workstations first isn't a lucrative deal, as companies will tend to re-image 
> affected systems and move on without paying ransoms.
> In recent months, in many incidents, some ransomware gangs haven't bothered encrypting workstations, and have first and foremost, 
> targeted crucial servers inside a company's network, knowing that by taking down these systems first, companies wouldn't be able 
> to access their centralized data troves, even if workstations were unaffected.
> The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with 
> many firms running internal systems on Linux, and not always on Windows Server.
> A Linux version makes perfect sense from an attacker's perspective; always looking to expand and touch as much core infrastructure 
> as possible in their quest to cripple companies and demand higher ransoms.
> What we see from RansomEXX may soon turn out to be an industry-defining trend, with other big ransomware groups rolling out their 
> Linux versions in the future as well.

Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list