UPDATED 21:39 EST / NOVEMBER 09 2020


New version of RansomEXX ransomware targets Linux systems

Ransomware is best known for targeting the Microsoft Windows operating system, but a new version of the RandomEXX ransomware has been found that targets Linux systems.

Detected and publicized Nov. 6 by security researchers at Kaspersky Lab, the Linux build of RansomEXX is described as a highly targeted Trojan that includes a hard-coded name of the targeted organization.

In a twist, both the encrypted file extension and email address for contacting those behind the ransomware also makes use of the victim’s name. So the Linux version of RansomEXX is not simply another form of ransomware spreading naturally but is exclusively being used in targeted attacks.

Once deployed, the Linux version of RansomEXX generates a 256-bit key and uses it to encrypt all the files belonging to the targeted victim that it can reach using the AES block cipher — not unusual for ransomware. The Linux version does have some limitations, however, with the researchers noting that it does not have the ability to connect to a command-and-control server nor deploy anti-security tools to avoid detection.

Forms of Linux ransomware have existed in the past although they are not common. Tycoon, a form of ransomware detected in June, was found to target both Windows and Linux systems through leveraging an obscure Java image format.

RansomEXX has been linked to a range of ransomware attacks this year, including attacks on U.S. laser company IP Photonics Corp., Konica Minolta Inc., the Texas Department of Transport and most recently an attack on Brazil’s court system.

“Although not unique, it is rare to see ransomware appear on Linux,” Gavin Matthews, product manager at threat detection firm Red Canary Inc., told SiliconANGLE. “As usage of cloud resources has ramped up, the ability to have eyes on all of your cloud workloads and potential threats has diminished.”

Cloud assets can often be re-imaged or redeployed to remove threats like ransomware, the increase in Linux threats illustrates the need for better detection and protections against threats, Matthews added. “The more you can provide SecOps and DevSecOps the ability to have eyes across their environment and individual workloads, the better their security posture will be,” he said. “At the end of the day, cloud security is very difficult. It’s vital that organizations begin to mature their security operations functions.”

Image: Kasperky

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.