We recently discovered a new file-encrypting Trojan constructed as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems.

After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking big organizations and was most active earlier this year.

RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.

Several companies have fallen victim to this malware in recent months, including the Texas Department of Transportation( TxDOT) and Konica Minolta.

Technical description

The sample we came across- aa1ddf 0c8312349be614ff43e80a262f– is a 64 -bit ELF executable. The Trojan implements its cryptographic strategy applying roles from the open-source library mbedtls.

When launched, the Trojan generates a 256 -bit key and uses it to encrypt all the files belonging to the victim that it can reach employing the AES block cipher in ECB mode. The AES key is encrypted by a public RS-A4 096 key incorporated within the Trojan’s body and appended to each encrypted file.

Additionally, the malware launches a weave that regenerates and re-encrypts the AES key every 0.18 seconds. However, based on an analysis of the implementation, the keys actually simply differ every second.

Apart from encrypting the files and leaving ransom notes, the sample has none of the additional functionality that other threat performers tend to use in their Trojans: no C& C communication , no expiration of running procedures , no anti-analysis tricks, etc.

Fragment of the file encryption procedure pseudocode; variable and part names are saved in the debug information and must match the original source code

Curiously, the ELF binary contains some debug information, including names of functions, global variables and source code files used by the malware developers.

Original names of source files incorporated within the trojan’s body

Execution log of the trojan in Kaspersky Linux Sandbox

Similarities with Windows builds of RansomEXX

Despite the fact that previously detected PE develops of RansomEXX use WinAPI( functions specific to Windows OS ), the organisation for the Trojan’s code and the method of using specific functions from the mbedtls library clue that both ELF and PE may be derived from the same source code.

In the screenshot below, we discover a comparison of the procedures that encrypt the AES key. On the left is the ELF sample aa1ddf 0c8312349be614ff43e80a262f; on the right is the PE sample fcd2 1c6fca3b9378961aa1865bee7ecb used throughout the TxDOT attack.

Despite being built by different compilers with different optimization options and for different platforms, the similarity is quite obvious.

We also find similarities in the methods used that encrypts the file content, and in the overall layout of the code.

What’s more, the text of the ransom note is also practically the same, with the name of the victim in the title and equivalent phrasing.

Parallel with a recent assault in Brazil

As reported by the media, one of the country’s government institutions has just been attacked by a targeted ransomware Trojan.

Based on the ransom note, which is almost identical to the one in the sample we described, and the news article mentioned above, there is a high probability that the target is the victim of another variant of RansomEXX.

Ransom note from the sample aa1ddf0c8312349be614ff43e80a262f

Ransom note from the Bleeping Computer post about the most recent attack in Brazil

Our products are protected by this menace and see it as Trojan-Ransom.Linux.Ransomexx

Kaspersky Threat Attribution Engine recognizes Ransomexx malware family

Indicators of compromise

Recent Linux version: aa1ddf 0c8312349be614ff43e80a262f Earlier Windows version: fcd2 1c6fca3b9378961aa1865bee7ecb

Read more: securelist.com