Security firm Kaspersky said today that it discovered a Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.
The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, US government contractor Tyler Technologies, Montreal’s public transportation system, and, most recently, against Brazil’s court system (STJ).
RansomEXX is what security researchers call a “big-game hunter” or “human-operated ransomware.” These two terms are used to describe ransomware groups that hunt large targets in search for big paydays, knowing that some companies or government agencies can’t afford to stay down while they recover their systems.
These groups buy access or breach networks themselves, expand access to as many systems as possible, and then manually deploy their ransomware binary as a final payload to cripple as much of the target’s infrastructure as possible.
But over the past year, there has been a paradigm shift into how these groups operate.
Many ransomware gangs have realized that attacking workstations first isn’t a lucrative deal, as companies will tend to re-image affected systems and move on without paying ransoms.
In recent months, in many incidents, some ransomware gangs haven’t bothered encrypting workstations, and have first and foremost, targeted crucial servers inside a company’s network, knowing that by taking down these systems first, companies wouldn’t be able to access their centralized data troves, even if workstations were unaffected.
The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with many firms running internal systems on Linux, and not always on Windows Server.
A Linux version makes perfect sense from an attacker’s perspective; always looking to expand and touch as much core infrastructure as possible in their quest to cripple companies and demand higher ransoms.
What we see from RansomEXX may soon turn out to be an industry-defining trend, with other big ransomware groups rolling out their Linux versions in the future as well.
And, this trend appears to have already begun. According to cyber-security firm Emsisoft, besides RansomEXX, the Mespinoza (Pysa) ransomware gang has also recently developed a Linux variant from their initial Windows version.
But Linux ransomware is also not unique. In the past years, other ransomware gangs have created Linux ransomware strains as well, such as the Snatch group. However, those groups were small-time operations that relied on spam campaigns to infect victims, were rarely successful, and did not engage in targeted intrusions like the current generation of ransomware groups we see today.
Emsisoft says the RansomEXX Linux variants they’ve detected were seen as far back as July. Configuring systems to detect RansomEXX Linux variants isn’t a solid strategy because of the way big-game hunter ransomware crews operate. By the time attackers deploy the ransomware, they already own most of a company’s network. The best strategy companies can take against these types of intrusions is to secure network perimeters by applying security patches to gateway devices and by making sure they are not misconfigured with weak or default credentials.