Large-scale Windows ransomware porting to Linux

News 2020-11-10 10:14:04 views: null

The security company Kaspersky recently discovered a new file encryption Trojan, which is an ELF executable file designed to encrypt data on a Linux-based operating system computer.

After preliminary analysis, Kaspersky found that what he encountered was actually a Linux build of the known ransomware RansomEXX.

RansomEXX is a large-scale ransomware that has been active since the beginning of the year. It mainly targets targets capable of paying large ransoms. Its targets include Texas Department of Transportation TxDOT and Konica Minolta, government contractors. Tyler Technologies, Montreal Bus System and Brazilian Court System.

According to foreign media reports , the operators behind RansomEXX created the Linux version because today's internal systems of many companies run on Linux instead of Windows.

Technical Description

The example aa1ddf0c8312349be614ff43e80a262f encountered by Kaspersky is a 64-bit ELF executable file. The Trojan uses functions in the open source library mbedtls to implement its encryption scheme.

After launching, the Trojan will generate a 256-bit key and use the key to encrypt all files of the target. These files can be accessed using the AES block key in ECB mode. The AES key is encrypted with a public RSA-4096 key embedded in the body of the Trojan horse and attached to each encrypted file. In addition, the Trojan will start a thread to regenerate and encrypt the AES key every 0.18 seconds, but it is actually calculated to change every second.

The current detected threats in this sample include only encrypted files and leaving ransom notes.

Kaspersky compared the AES key encryption process of RansomEXX and the new Trojan on the Windows system. On the left is the ELF sample aa1ddf0c8312349be614ff43e80a262f; on the right is the PE sample fcd21c6fca3b9378961aa1865bee7ecb used for TxDOT attacks. Although the two have different optimization options and are built for different platform compilers, the similarities are very obvious. In addition, the two "manipulation methods"-code layout, ransom note text, title wording, etc. are the same.

For comparison instructions, see: https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/

Guess you like

Origin www.oschina.net/news/120117/windows-ransomexx-ported-to-linux
Recommended
Ranking
How to make the url of the picture have the download attribute and force the download. Jump browser to download automatically.
Lr CC 8.3 Installation Guide
MD5Utils (MD5 encryption tools! Unsalted)
Econ 325 (004)
Photo studio photography appointment app based on java SpringBoot and Vue uniapp
What is b
2017 Second Guangdong strong network Cup online game --Nonstandard
myeclipse8.5 add tomact7
mpeg1, mpeg2 and mpeg4 standard comparative analysis and summary
Tencent sub-sub-group 6-color program
Daily
More
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)
2024-04-16(23)

Code World

© 2018 codetd.com