Kaspersky Lab has discovered malicious software written for Linux – this is the Windows version of the RansomExx cryptographer. Both versions differ in that they are entered into the system manually.


The new version of the cryptographer, discovered by Kaspersky Lab experts, is a product of the development of the authors of The ransomexx Trojan, which is indicated by several factors:


– using the same model of communication with victims of extortion;

– similarity of text versions in the ransom correspondence;

– and, most importantly, the similarity of the code is obvious to experts, even taking into account the fact that it was compiled by different means and for different platforms.



RansomExx has been noted in many places in the world: in the Brazilian Supreme court of justice, the Texas Department of transportation, Konica, IPG Photonics, and Tyler Technologies…


The special sophistication of the target impact of this Trojan is that for its full functioning, the network and system are first hacked, and only then the cryptographer is introduced manually.

Thus, in this mode of operation, attackers move freely within the network and system, which does not allow regular security tools to fully respond to the attack. Detection of such intrusions is possible only with the use of fairly advanced tools for detecting malicious behavior and comprehensive Analytics. Taking into account the professional level of malicious software developers, this presents additional difficulties, since they have a good understanding of how counteraction systems work and therefore minimize all the risks of detection.


Read more:


the Linux version is an ELF executable file called “svc-new”, which generates a 256-bit key that encrypts all files on the target system using the AES block cipher in ECB mode. Further, the AES key is additionally encrypted with the RSA-4096 public key embedded in the Trojan code, and finally, it is added to all encrypted files.


It is noted that it lacks the following functions (as unnecessary, due to the specifics of implementation):

– data exchange with the command server;

– anti-analysis tools;

– the ability to stop the process.


In addition, unlike the Windows version, the new version does not clog up all the free space on the server.


When paying a ransom, the victim receives two descriptors at once-both for Linux and for Windows. The RSA-4096 public private key and the encrypted file extension are embedded in the executable files of the descriptors.

Leave a Reply

Your email address will not be published. Required fields are marked *

GPD Host Contacts
GPD Host Social
Pay with Confidence

Copyright © 2015 - 2020 GPD Host All right reserved.

Warning: Invalid argument supplied for foreach() in /var/www/vhosts/blog.gpdhost.com/httpdocs/wp-includes/script-loader.php on line 2652