Kaspersky has announced it has discovered a Linux version of RansomEXX ransomware – aka Defray777. This is one of the first times that a Windows ransomware strain has been adapted to attack Linux systems, with the new variant able to be used in targeted attacks on organizations that have both Windows and Linus systems to cause greater disruption.
RansomEXX is a relatively new human-operated ransomware variant which was first detected in June 2020. The ransomware variant has attracted a lot of attention in recent weeks after being used in attacks on government departments and many large enterprises. The ransomware was used in the attack on Konica Minolta, the Texas Department of Transportation, the public transportation system in Montreal, and the court system in Brazil, to name but a few.
The Linux version of the ransomware is a bare-bones ransomware variant without many of the features of the Windows version. For example, no attempts are made to terminate security processes and there is no communication with the command and control server, although it is possible that the Linux version will be further developed to include these and other features.
The operators of the ransomware are targeting large organizations that have the means to pay and are heavily reliant on their data and systems. With downtime costing the companies millions, payment of the ransom may be seen as a necessary evil and cheaper in the long run than attempting to recover files from backups. By targeting Windows and Linux systems simultaneously, this will increase the probability of the ransom being paid. This is especially true when Windows and Linux servers are attacked, as these are more time consuming to restore than individual workstations.
The development of Linux versions of Windows ransomware could well become more common among threat groups. According to Emsisoft, the operators of Mespinoza ransomware developed a Linux version of their ransomware from their Windows version. There have also been threat actors in the past that have created ransomware strains that specifically target Linux systems, although the use of different versions by human-operated ransomware groups is still relatively rare.
The new development shows how important it is to backup data on all systems, including Linux, to ensure that recovery is possible without paying the ransom and to ensure that networks are secured to prevent the initial attack. Once the attackers have infiltrated a network, detecting and blocking attacks before ransomware is deployed is much more difficult.