RansomEXX Trojan attacks Linux systems

By GIXnews

We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems.

After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking large organizations and was most active earlier this year.

RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.

Several companies have fallen victim to this malware in recent months, including the Texas Department of Transportation (TxDOT) and Konica Minolta.

Technical description

The sample we came across – aa1ddf0c8312349be614ff43e80a262f – is a 64-bit ELF executable. The Trojan implements its cryptographic scheme using functions from the open-source library mbedtls.

When launched, the Trojan generates a 256-bit key and uses it to encrypt all the files belonging to the victim that it can reach using the AES block cipher in ECB mode. The AES key is encrypted by a public RSA-4096 key embedded in the Trojan’s body and appended to each encrypted file.

Additionally, the malware launches a thread that regenerates and re-encrypts the AES key every 0.18 seconds. However, based on an analysis of the implementation, the keys actually only differ every second.

Apart from encrypting the files and leaving ransom notes, the sample has none of the additional functionality that other threat actors tend to use in their Trojans: no C&C communication, no termination of running processes, no anti-analysis tricks, etc.

Fragment of the file encryption procedure pseudocode; variable and function names are saved in the debug information and must match the original source code

Curiously, the ELF binary contains some debug information, including names of functions, global variables and source code files used by the malware developers.

Original names of source files embedded in the trojan’s body

Execution log of the trojan in Kaspersky Linux Sandbox

Similarities with Windows builds of RansomEXX

Despite the fact that previously discovered PE builds of RansomEXX use WinAPI (functions specific to Windows OS), the organization of the Trojan’s code and the method of using specific functions from the mbedtls library hint that both ELF and PE may be derived from the same source code.

In the screenshot below, we see a comparison of the procedures that encrypt the AES key. On the left is the ELF sample aa1ddf0c8312349be614ff43e80a262f; on the right is the PE sample fcd21c6fca3b9378961aa1865bee7ecb used in the TxDOT attack.

Despite being built by different compilers with different optimization options and for different platforms, the similarity is quite obvious.

We also observe resemblances in the procedure that encrypts the file content, and in the overall layout of the code.

What’s more, the text of the ransom note is also practically the same, with the name of the victim in the title and equivalent phrasing.

Parallels with a recent attack in Brazil

As reported by the media, one of the country’s government institutions has just been attacked by a targeted ransomware Trojan.

Based on the ransom note, which is almost identical to the one in the sample we described, and the news article mentioned above, there is a high probability that the target is the victim of another variant of RansomEXX.

Ransom note from the sample aa1ddf0c8312349be614ff43e80a262f

Ransom note from the Bleeping Computer post about the most recent attack in Brazil

Our products protect against this threat and detect it as Trojan-Ransom.Linux.Ransomexx

Kaspersky Threat Attribution Engine identifies Ransomexx malware family

Indicators of compromise

Recent Linux version: aa1ddf0c8312349be614ff43e80a262f
Earlier Windows version: fcd21c6fca3b9378961aa1865bee7ecb

Source:: Securelist