In November of 2020, RansomExx was involved in the attacks against Brazil’s Superior Court of Justice. Also, the RansomExx ransomware operators have expanded their reach by developing a Linux version of the malware. RansomEXX is human-operated ransomware that, in June 2020, was used in an attack on the Texas Department of Transportation. In August of 2020, it infected systems at the multinational technology Konica Minolta. While in September of 2020, it was involved in an attack against IPG Photonics high-performance laser developer and software provider Tyler Technologies. The new Linux version of RansomExx ransomware is built as an ELF executable named ‘svc-new’ that encrypts the target’s server.
According to Kaspersky Labs: “After the initial analysis, we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX.”
Upon launching the Trojan, a 256-bit key is generated that encrypts all the victim’s files that it can reach using the AES block cipher in ECB mode. The AES key is encrypted by a public RSA-4096 key embedded in the malware’s code and appended to all encrypted files. The ransomware lacks other functionalities executed by other Trojans, such as anti-analysis features, C2 communication, and the ability to kill processes. Unlike the Windows version, the Linux strain doesn’t wipe free hard drive space. When victims pay the ransom, they receive both a Linux and Windows decryptor with the corresponding RSA-4096 private key and encrypted file extension.
In the fall of 2020, Brazil’s Superior Court of Justice was temporarily shut down by RansomExx. The ransomware attack forced a temporary shutdown of the court’s information technology network.
“The Superior Court of Justice (STJ) announces that the court’s information technology network suffered a hacker attack, this Tuesday (3), during the afternoon, when the six group classes’ judgment sessions were taking place. The presidency of the court has already called the Federal Police to investigate the cyber attack.” announced STJ President Humberto Martins in an official statement on the Supreme Federal Court’s website.
The attack was discovered on November 3rd, and IT staff shut down the court’s network to prevent the spread of the malware. All court sessions, virtual and by video conference, were either suspended or canceled until the court network’s security was restored. As a result of this devastating attack, the websites for several Brazilian federal government agencies were also forced to go offline.