Researchers describe RansomEXX ransomware as a big-game hunter or human-operated ransomware as it hunts targeted victims in the search of big paydays. Recently, the RansomEXX ransomware has been ported to Linux to further aid hackers in their targeted intrusions.
Linux version of RansomExx
The Linux version of the RansomExx ransomware, named as decryptor64, was discovered by Kaspersky researchers recently. They have released a report detailing the similarities and differences between the Windows and Linux versions.
Despite being built by different compilers with different optimization options and for different platforms, it is believed that both ELF and PE executables may be derived from the same source code.
Even the text of the ransom notes and the general approach to extortion are the same for both Linux and Windows versions. Moreover, both the encrypted file extension and the email address for contacting back to the attacker make use of the victim’s name.
According to the report, the found sample doesn’t terminate running processes, has no C&C server communication and anti-analysis tricks.
Windows version of RansomExx
Several companies have fallen victim to RansomEXX’s Windows version in recent months.
In the last month, RansomExx hit the Montreal Transit Company public transport system, causing a major failure on various platforms.
In September, the ransomware had targeted Tyler Technologies and disrupted its operations. To receive the decryption key and recover the encrypted files, Tylor Technologies paid the ransom in October.
Starting with a low infection rate, RansomEXX ransomware has become a lot more active in targeting high-profile organizations. Its operators can launch attacks against both Windows and Linux servers, making this malware a deadlier threat. Experts recommend installing antivirus software for precautionary measures and creating backups to prevent data loss.