After Encrypts Microsoft Windows operating system the RansomExx ransomware Attribution variant is being deployed against Linux systems.|
Last Friday Kaspersky takes a look at the Linux version of the RansomExx ransomware, also known as Defray777. RansomEXX is a relatively new version of a Ransomware that was first detected around June 2020. The RansomEXX is human-operated ransomware, this means that attackers manually infected the systems after getting access to the victim network.
RansomEXX is specific in the sense that security researchers refer to it as a “big game hunter”. In fact, this Ransomware seeks to hit big targets looking for big profits, knowing that some businesses or government agencies cannot afford to stay “down” while they recover their systems. (And thus force the payment of the ransom).
Configuring its antivirus systems to detect RansomEXX variants is not a good strategy, due to the way the “ransomware” operate.In fact, by the time the attackers deploy the ransomware, they are already in most of the corporate network. The best strategy that companies can adopt against this type of intrusion is to secure routers, network equipment, firewalls by applying security patches and especially make sure not to leave a default configuration or access with weak passwords …
RansomEXX Ransomware attacks in Linux version :
According to Kaspersky, when targeting Linux servers, the RansomExx ransomware operators will deploy an ELF executable named ‘svc-new’ used to encrypt a victim’s server. Several companies have fallen victim to this RansomExx ransomware in recent months, including the Texas Department of Transportation (TxDOT) and Konica Minolta.
“We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems,” said Kaspersky security researcher Fedor Sinitsyn,
RansomEXX is a highly targeted Trojan, malware contains a hardcoded name of the affected some businesses or government agencies. In addition, both encrypted file extensions and email addresses use the victim’s name to communicate with extortionists.
“After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX,” Kaspersky researchers stated in their report.
The sample we came across – aa1ddf0c8312349be614ff43e80a262f – is a 64-bit ELF executable
Security researchers 
The malware will try to create a mutex with a hardcoded name (in this case: 6a8c9937zFIwHPZ309UZMZYVnwScPB2pR2MEx5SY7B1xgbruoO) but the mutex name changes in each sample. If the mutex is created and gets the handle, it will call the “GetLastError” function and look if the last error is ERROR_ALREADY_EXISTS or ERROR_ACCESS_DENIED. Both errors mean that a previous instance of this mutex object exists. If that is the case, the malware will enter in a flow of cleaning memory, that we will explain later in this post, and finish. (source 
