Ransomware is best known for targeting the Microsoft Windows operating system, but a new version of the RandomEXX ransomware has been found that targets Linux systems.

Detected and publicized Nov. 6 by security researchers at Kaspersky Lab, the Linux build of RansomEXX is described as a highly targeted Trojan that includes a hard-coded name of the targeted organization.

In a twist, both the encrypted file extension and email address for contacting those behind the ransomware also makes use of the victim’s name. So the Linux version of RansomEXX is not simply another form of ransomware spreading naturally but is exclusively being used in targeted attacks.

Once deployed, the Linux version of RansomEXX generates a 256-bit key and uses it to encrypt all the files belonging to the targeted victim that it can reach using the AES block cipher — not unusual for ransomware. The Linux version does have some limitations, however, with the researchers noting that it does not have the ability to connect to a command-and-control server nor deploy anti-security tools to avoid detection.

Forms of Linux ransomware have existed in the past although they are not common. Tycoon, a form of ransomware detected in June, was found to target both Windows and Linux systems through leveraging an obscure Java image format.

RansomEXX has been linked to a range of ransomware attacks this year, including attacks on U.S. laser company IP Photonics Corp., Konica Minolta Inc., the Texas Department of Transport and most recently an attack on Brazil’s court system.

“Although not unique, it is rare to see ransomware appear on Linux,” Gavin Matthews, product manager at threat detection firm Red Canary Inc., told SiliconANGLE. “As usage of cloud resources has ramped up, the ability to have eyes on all of your cloud workloads and potential threats has diminished.”

Cloud assets can often be re-imaged or redeployed to remove threats like ransomware, the increase in Linux threats illustrates the need for better detection and protections against threats, Matthews added. “The more you can provide SecOps and DevSecOps the ability to have eyes across their environment and individual workloads, the better their security posture will be,” he said. “At the end of the day, cloud security is very difficult. It’s vital that organizations begin to mature their security operations functions.”

Image: Kasperky