{ "id": "bd5a13f7-40bf-47e2-bd5a-2ad901c8c871", "created_at": "2026-04-06T00:16:55.909094Z", "updated_at": "2026-04-10T03:20:19.758041Z", "deleted_at": null, "sha1_hash": "bfd403946ea58af0383e6cd93c69a60d031171dc", "title": "RansomExx ransomware also encrypts Linux systems", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2946103, "plain_text": "RansomExx ransomware also encrypts Linux systems\r\nBy Lawrence Abrams\r\nPublished: 2020-11-06 · Archived: 2026-04-05 17:33:32 UTC\r\nWith companies commonly using a mixed environment of Windows and Linux servers, ransomware operations have\r\nincreasingly started to create Linux versions of their malware to ensure they encrypt all critical data.\r\nA new report today by Kaspersky takes a look at the Linux version of the RansomExx ransomware, also known as\r\nDefray777.\r\nRansomExx has been getting a lot of attention this week due to their ongoing attacks against Brazil's government\r\nnetworks and previous attacks against the Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics,\r\nand Tyler Technologies.\r\nhttps://www.bleepingcomputer.com/news/security/ransomexx-ransomware-also-encrypts-linux-systems/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ransomexx-ransomware-also-encrypts-linux-systems/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nLinux version of RansomExx\r\nAccording to Kaspersky, when targeting Linux servers, the RansomExx operators will deploy an ELF executable named\r\n'svc-new' used to encrypt a victim's server.\r\n\"After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general\r\napproach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware\r\nfamily RansomEXX,\" Kaspersky researchers stated in their report.\r\nEmbedded in the Linux executable are a public RSA-4096 encryption key, the ransom note, and an extension named after\r\nthe customer that will be appended to all encrypted files.\r\nCode to encrypt files in Linux version\r\nUnlike the Windows version, Kaspersky states that the Linux version is a no-frills ransomware. It does not contain any code\r\nto terminate processes, including security software, does not wipe free space like the Windows version does, and does not\r\ncommunicate with a command and control server.\r\nIf a victim pays the ransom, they will receive both a Linux and Windows decryptor with the corresponding RSA-4096\r\nprivate key and encrypted file extension embedded in the executable.\r\nThe Linux version is named 'decryptor64' and is a command-line driven decryptor, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/ransomexx-ransomware-also-encrypts-linux-systems/\r\nPage 3 of 4\n\nFabian Wosar, the CTO of cybersecurity firm Emsisoft, told BleepingComputer that he first saw RansomExx utilizing a\r\nLinux version in attacks in July 2020, but may have been used earlier. \r\nRansomExx is not the first ransomware to create Linux versions. In the past, Pysa (Menispoza), Snatch, and\r\nPureLocker have also distributed Linux variants.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomexx-ransomware-also-encrypts-linux-systems/\r\nhttps://www.bleepingcomputer.com/news/security/ransomexx-ransomware-also-encrypts-linux-systems/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/ransomexx-ransomware-also-encrypts-linux-systems/" ], "report_names": [ "ransomexx-ransomware-also-encrypts-linux-systems" ], "threat_actors": [], "ts_created_at": 1775434615, "ts_updated_at": 1775791219, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bfd403946ea58af0383e6cd93c69a60d031171dc.pdf", "text": "https://archive.orkl.eu/bfd403946ea58af0383e6cd93c69a60d031171dc.txt", "img": "https://archive.orkl.eu/bfd403946ea58af0383e6cd93c69a60d031171dc.jpg" } }