RansomExx infection leading to potential file corruption on Linux system

Description

FortiGuard Labs is aware of a report that a Linux variant of RansomExx ransomware's encryption process has a bug leading to potential file corruption on Linux system. The corrupted files cannot be decrypted using the decryption tool provided by the RansomExx gang after the ransom payment is made. RansomExx ransomware has been around since at least June 2020 and is available for both Windows and Linux platforms. The ransomware is believed to be a rebrand of Defray777 ransomware. Some researchers attributed both ransomwares to the cybercriminal group Gold Dupont.


Why is this Significant?

Although the Linux version of RansomExx was first reported in November 2020, a bug in its encryption process that leads to potential file corruption was not previously reported. This results in the victim being unable to recover the encrypted files using the RansomExx's decryption tool even if the ransom is paid.


What is RansomExx Ransomware?

RansomExx is a double extortion ransomware that demands ransom from the victim for decrypting the files it encrypted and not releasing the files it stole. RansomExx ransomware has been active since at least June 2020. Though the ransomware was initially available only for Windows platform, Linux version was later reported in November 2020 . According to some researchers, RansomExx is a rebrand of Defray777 ransomware. Security vendor Profero, who reported the potential file corruption by the ransomware on Linux systems, stated that attacks performed by the RansomExx gang are likely targeted as the ransomware is "specifically compiled for each attack, with the target organization's name included in the embedded ransom note".


In the past, the IcedID Trojan malware was reported as a distributing vehicle of RansomExx.


What is Gold Dupont?

A financially motivated threat actor behind RansomExx was dubbed "Gold Dupont" by some security researchers and appears to have been active since 2018. Threat arsenals such as Trickbot, IcedID, Cobalt Strike, PyXie and VatetLoader were potentially associated with Gold Dupont.


What is the Bug in RansomExx's Encryption Process that Leads to Potential File Corruption?

The bug is due to the lack of an adequate file locking mechanism while the ransomware encrypts files. Because of it, encryption could happen to a file at the same time as other application writing to it, which leads to file corruption. As the file is corrupted, even the decryption tool provided by the RansomExx gang to the paying victim is unable to decrypt the affected file.


What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage:

Linux/Ransomexx.A!tr

ELF/RansomEXX.A!tr

W32/Filecoder.OCN!tr.ransom

W32/Encoder.KBJ!tr.ransom