This article is more than 1 year old

RansomEXX trojan variant is being deployed against Linux systems, warns Kaspersky

Inoculation is simple: MFA, regular timely patching

A trojan targeting Linux and deployed by a known ransomware gang has been discovered by Russian antivirus firm Kaspersky.

"We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems," said Kaspersky security researcher Fedor Sinitsyn and Vladimir Kuskov, head of advanced threat research and software classification in a blog post.

The trojan was, so the two said, similar to the existing RansomEXX trojan, which they said had been deployed only last week against Brazil's courts, as well as targets in the US and elsewhere.

"Based on the ransom note, which is almost identical to the one in the sample we described, and the news article mentioned above, there is a high probability that the target is the victim of another variant of RansomEXX," concluded Kaspersky.

RansomEXX's Linux variant contains few or no functions used by other ransomware families, containing no command-'n'-control server phone-home functionality or anti-analysis "tricks". Potentially this is because the ransomware is, well, ransomware; once deployed its presence is obvious to users and network admins alike because everything stops working, except for ransom notes demanding payment for decryption. Obfuscation and phone-home capabilities are not needed unless the criminal wants to extract the encrypted data for later resale or secondary ransoms, as some higher-profile ransomware gangs are wont to do.

"Basic" ransomware attacks are typically deployed by an attacker who compromises a network well in advance, such as in Finland in October, where a psychotherapy clinic's patients had clinical notes stolen and published online. Local reports indicated that the attacker had gained access to the clinic's network years before people's sensitive medical data began appearing online.

Similarly, the criminals who planted Magecart on British Airways' card payments page in 2018 had been lurking inside the airline's corporate networks since 2015, only being detected after dumping databases that happened to include credit card details that were stored without encryption. In that case a weak password in a contractor's user account gave them access to the wider BA network.

Such compromises are possible because organisations may not regularly patch vulnerabilities, enforce good password hygiene or enable multi-factor authentication, as The Register reported in August. Back then infosec outfit Positive Technologies' Ekaterina Kilyusheva told us: "It is not that unskilled hackers are using methods that more skilled criminals would not need," but that most of the attacks she had seen were "within the capabilities of a middling hacker with basic skills." ®

More about


Send us news

Other stories you might like