Security firm Kaspersky said today that it discovered a Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.
RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June.
The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, US government contractor Tyler Technologies, Montreal’s public transportation system, and, most recently, against Brazil’s court system (STJ).
RansomEXX is what security researchers call a “big-game hunter” or “human-operated ransomware.” These two terms are used to describe ransomware groups that hunt large targets in search for big paydays, knowing that some companies or government agencies can’t afford to stay down while they recover their systems.
These groups buy access or breach networks themselves, expand access to as many systems as possible, and then manually deploy their ransomware binary as a final payload to cripple as much of the target’s infrastructure as possible.
But over the past year, there has been a paradigm shift into how these groups operate.
Many ransomware gangs have realized that attacking workstations first isn’t a lucrative deal, as companies will tend to re-image affected systems and move on without paying ransoms.
In recent months, in many incidents, some ransomware gangs haven’t bothered encrypting workstations, and have first and foremost, targeted crucial servers inside a company’s network, knowing that by taking down these systems first, companies wouldn’t be able to access their centralized data troves, even if workstations were unaffected.
The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with many firms running internal systems on Linux, and not always on Windows Server.
The RansomEXX Linux version makes perfect sense from an attacker’s perspective, who is always looking to expand and touch as much core infrastructure as possible in their quest to cripple companies and demand higher ransoms.
What we see from RansomEXX may soon turn out to be an industry-defining trend, with other big ransomware groups rolling out their Linux versions in the future as well.
Technical details about the RansomEXX Linux variant are available in the Kaspersky report.