The new iteration of the notorious RansomEXX ransomware targets machines running the Linux operating system.

Most ransomware up until now has been best known for attacking computers running the Microsoft Windows operating system. However, last week industry experts detected a new version of the RansomEXX ransomware, and that version targets Linux systems.

According to Kaspersky Lab, the Linux build of RansomEXX is a highly targeted Trojan that includes a hard-coded name of the targeted organization.

What Kapersky found was a new file-encrypting Trojan built as an ELF executable. This Trohjan is intended to encrypt data on machines controlled by Linux-based operating systems.

“After the initial analysis we noticed similarities in the code of the Trojan,” wrote Kapersky’s Fedor Sinitsyn and Vladimir Kuskov. Additionally, they noticed that the text of the ransom notes and the general approach to extortion were similar.

“RansomEXX is a highly targeted Trojan,” they write. “Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.”

This last point indicates that the Linux version of RansomEXX is more than just another form of ransomware spreading naturally. Rather, it is exclusively used in targeted attacks where the name of the victim is known to the hackers.

RansomEXX has been linked to a range of ransomware attacks this year. Victims include U.S. laser company IP Photonics, Konica Minolta, the Texas Department of Transport and most recently an attack on Brazil’s court system.

How the ransomware works

When launched, the Trojan generates a 256-bit key and uses it to encrypt all the files belonging to the victim that it can reach. The ransomware then encrypts the AES key using a public RSA-4096 key appended to each encrypted file.

Additionally, the malware launches a thread that regenerates and re-encrypts the AES key every 0.18 seconds. However, based on an analysis of the implementation, the keys actually only differ every second.

Apart from encrypting the files and leaving ransom notes, the sample has none of the additional functionality that other threat actors tend to use in their Trojans.

For example, there are no C&C communication, no termination of running processes, no anti-analysis tricks, etc.

Tip: Cybercrime becomes more sophisticated: ‘we can’t continue like this.’