The analysis shows that the ransomware shares many similarities with a previously known family called RansomEXX. These similarities mean that the ransomware now has a Linux build. RansomEXX is known for its targeted attacks against large corporations, most of which took place last year. In fact, Kaspersky says that “RansomEXX is a highly targeted Trojan.” Companies victimized by RansomEXX include the Texas Department of Transportation and Konica Minolta.
RansomEXX Linux Version
Once the ransomware is launched on the targeted Linux machine, it generates a 256-bit key to encrypt all data it can reach via the AES block cipher in ECB mode. The AES key is then encrypted by a public RSA-4096 key, which is embedded in its body and appended to all encrypted files.
In terms of encryption, the ransomware also regenerates and re-encrypts the AES key every 0.8 seconds. Kaspersky’s analysis, however, shows that the keys only differ every second. Despite strong encryption efforts, the Linux build of RansomEXX lacks command-and-control infrastructure, termination of running processes, and anti-analysis. These features are typical for most ransomware Trojans.
Despite the fact that previously discovered PE builds of RansomEXX use WinAPI (functions specific to Windows OS), the organization of the Trojan’s code and the method of using specific functions from the mbedtls library hint that both ELF and PE may be derived from the same source code, the researchers say.
Previous Windows version of RansomEXX used the .txd0t extension
The team also noticed “resemblances in the procedure that encrypts the file content, and in the overall layout of the code.” The ransom note is also nearly identical to the Windows variant.
One of the latest versions of the Windows-targeting RansomEXX appended the .txd0t extension to encrypted files. The ransomware was used in a dangerous attack against a large US company called Tyler Technologies, a public sector software provider and services provider. The cybercriminals rendered the company’s website inactive.
The security staff detected an intrusion into the company’s network on September 23, 2020. Fortunately, no customer data was accessed by the hackers. All compromised information appears to be limited to the internal network and phone systems of the company.