After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking big organizations and was most active earlier this year.
RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.
When launched, the Trojan generates a 256 -bit key and uses it to encrypt all the files belonging to the victim that it can reach employing the AES block cipher in ECB mode. The AES key is encrypted by a public RS-A4 096 key incorporated within the Trojan’s body and appended to each encrypted file.
Additionally, the malware launches a weave that regenerates and re-encrypts the AES key every 0.18 seconds. However, based on an analysis of the implementation, the keys actually simply differ every second.
Apart from encrypting the files and leaving ransom notes, the sample has none of the additional functionality that other threat performers tend to use in their Trojans: no C& C communication , no expiration of running procedures , no anti-analysis tricks, etc.
Similarities with Windows builds of RansomEXX
Despite the fact that previously detected PE develops of RansomEXX use WinAPI( functions specific to Windows OS ), the organisation for the Trojan’s code and the method of using specific functions from the mbedtls library clue that both ELF and PE may be derived from the same source code.
In the screenshot below, we discover a comparison of the procedures that encrypt the AES key. On the left is the ELF sample aa1ddf 0c8312349be614ff43e80a262f; on the right is the PE sample fcd2 1c6fca3b9378961aa1865bee7ecb used throughout the TxDOT attack.
Despite being built by different compilers with different optimization options and for different platforms, the similarity is quite obvious.
We also find similarities in the methods used that encrypts the file content, and in the overall layout of the code.
What’s more, the text of the ransom note is also practically the same, with the name of the victim in the title and equivalent phrasing.
Parallel with a recent assault in Brazil
Based on the ransom note, which is almost identical to the one in the sample we described, and the news article mentioned above, there is a high probability that the target is the victim of another variant of RansomEXX.
Ransom note from the sample aa1ddf0c8312349be614ff43e80a262f
Indicators of compromise