{
	"id": "6e05084b-8817-4f55-93f7-eea06d5827ad",
	"created_at": "2026-04-06T00:15:29.27055Z",
	"updated_at": "2026-04-10T13:11:42.403724Z",
	"deleted_at": null,
	"sha1_hash": "1d82b3f28da937471a9c3a2790f67dbfc1c3b0c3",
	"title": "RansomEXX Trojan attacks Linux systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1490812,
	"plain_text": "RansomEXX Trojan attacks Linux systems\r\nBy Fedor Sinitsyn\r\nPublished: 2020-11-06 · Archived: 2026-04-05 21:37:11 UTC\r\nWe recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on\r\nmachines controlled by Linux-based operating systems.\r\nAfter the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the\r\ngeneral approach to extortion, which suggested that we had in fact encountered a Linux build of the previously\r\nknown ransomware family RansomEXX. This malware is notorious for attacking large organizations and was\r\nmost active earlier this year.\r\nRansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim\r\norganization. Moreover, both the encrypted file extension and the email address for contacting the extortionists\r\nmake use of the victim’s name.\r\nSeveral companies have fallen victim to this malware in recent months, including the Texas Department of\r\nTransportation (TxDOT) and Konica Minolta.\r\nTechnical description\r\nThe sample we came across – aa1ddf0c8312349be614ff43e80a262f – is a 64-bit ELF executable. The Trojan\r\nimplements its cryptographic scheme using functions from the open-source library mbedtls.\r\nWhen launched, the Trojan generates a 256-bit key and uses it to encrypt all the files belonging to the victim that\r\nit can reach using the AES block cipher in ECB mode. The AES key is encrypted by a public RSA-4096 key\r\nembedded in the Trojan’s body and appended to each encrypted file.\r\nAdditionally, the malware launches a thread that regenerates and re-encrypts the AES key every 0.18 seconds.\r\nHowever, based on an analysis of the implementation, the keys actually only differ every second.\r\nApart from encrypting the files and leaving ransom notes, the sample has none of the additional functionality that\r\nother threat actors tend to use in their Trojans: no C\u0026C communication, no termination of running processes, no\r\nanti-analysis tricks, etc.\r\nhttps://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/\r\nPage 1 of 5\n\nFragment of the file encryption procedure pseudocode; variable and function names are saved in the debug\r\ninformation and must match the original source code\r\nCuriously, the ELF binary contains some debug information, including names of functions, global variables and\r\nsource code files used by the malware developers.\r\nOriginal names of source files embedded in the trojan’s body\r\nhttps://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/\r\nPage 2 of 5\n\nExecution log of the trojan in Kaspersky Linux Sandbox\r\nSimilarities with Windows builds of RansomEXX\r\nDespite the fact that previously discovered PE builds of RansomEXX use WinAPI (functions specific to Windows\r\nOS), the organization of the Trojan’s code and the method of using specific functions from the mbedtls library hint\r\nthat both ELF and PE may be derived from the same source code.\r\nIn the screenshot below, we see a comparison of the procedures that encrypt the AES key. On the left is the ELF\r\nsample aa1ddf0c8312349be614ff43e80a262f; on the right is the PE sample fcd21c6fca3b9378961aa1865bee7ecb\r\nused in the TxDOT attack.\r\nDespite being built by different compilers with different optimization options and for different platforms, the\r\nsimilarity is quite obvious.\r\nWe also observe resemblances in the procedure that encrypts the file content, and in the overall layout of the code.\r\nWhat’s more, the text of the ransom note is also practically the same, with the name of the victim in the title and\r\nequivalent phrasing.\r\nParallels with a recent attack in Brazil\r\nAs reported by the media, one of the country’s government institutions has just been attacked by a targeted\r\nransomware Trojan.\r\nhttps://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/\r\nPage 3 of 5\n\nBased on the ransom note, which is almost identical to the one in the sample we described, and the news article\r\nmentioned above, there is a high probability that the target is the victim of another variant of RansomEXX.\r\nRansom note from the sample aa1ddf0c8312349be614ff43e80a262f\r\nRansom note from the Bleeping Computer post about the most recent attack in Brazil\r\nOur products protect against this threat and detect it as Trojan-Ransom.Linux.Ransomexx\r\nhttps://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/\r\nPage 4 of 5\n\nKaspersky Threat Attribution Engine identifies Ransomexx malware family\r\nIndicators of compromise\r\nRecent Linux version: aa1ddf0c8312349be614ff43e80a262f\r\nEarlier Windows version: fcd21c6fca3b9378961aa1865bee7ecb\r\nSource: https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/\r\nhttps://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/"
	],
	"report_names": [
		"99279"
	],
	"threat_actors": [],
	"ts_created_at": 1775434529,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1d82b3f28da937471a9c3a2790f67dbfc1c3b0c3.pdf",
		"text": "https://archive.orkl.eu/1d82b3f28da937471a9c3a2790f67dbfc1c3b0c3.txt",
		"img": "https://archive.orkl.eu/1d82b3f28da937471a9c3a2790f67dbfc1c3b0c3.jpg"
	}
}