New RansomEXX ransomware Now Encrypts Linux Systems

After Encrypts Microsoft Windows operating system the RansomExx ransomware Attribution variant is being deployed against Linux systems.|

Last Friday Kaspersky takes a look at the Linux version of the RansomExx ransomware, also known as Defray777. RansomEXX is a relatively new version of a Ransomware that was first detected around June 2020. The RansomEXX is human-operated ransomware, this means that attackers manually infected the systems after getting access to the victim network.

RansomEXX is specific in the sense that security researchers refer to it as a “big game hunter”. In fact, this Ransomware seeks to hit big targets looking for big profits, knowing that some businesses or government agencies cannot afford to stay “down” while they recover their systems. (And thus force the payment of the ransom).

Configuring its antivirus systems to detect RansomEXX variants is not a good strategy, due to the way the “ransomware” operate.In fact, by the time the attackers deploy the ransomware, they are already in most of the corporate network. The best strategy that companies can adopt against this type of intrusion is to secure routers, network equipment, firewalls by applying security patches and especially make sure not to leave a default configuration or access with weak passwords …

RansomEXX Ransomware attacks in Linux version :

According to Kaspersky, when targeting Linux servers, the RansomExx ransomware operators will deploy an ELF executable named ‘svc-new’ used to encrypt a victim’s server. Several companies have fallen victim to this RansomExx ransomware in recent months, including the Texas Department of Transportation (TxDOT) and Konica Minolta.


“We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems,” said Kaspersky security researcher Fedor Sinitsyn,

RansomEXX is a highly targeted Trojan, malware contains a hardcoded name of the affected some businesses or government agencies. In addition, both encrypted file extensions and email addresses use the victim’s name to communicate with extortionists.

“After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX,” Kaspersky researchers stated in their report.

The sample we came across – aa1ddf0c8312349be614ff43e80a262f – is a 64-bit ELF executable