Threat Signal Report

RansomExx infection leading to potential file corruption on Linux system

Description

FortiGuard Labs is aware of a report that a Linux variant of RansomExx ransomware's encryption process has a bug leading to potential file corruption on Linux system. The corrupted files cannot be decrypted using the decryption tool provided by the RansomExx gang after the ransom payment is made. RansomExx ransomware has been around since at least June 2020 and is available for both Windows and Linux platforms. The ransomware is believed to be a rebrand of Defray777 ransomware. Some researchers attributed both ransomwares to the cybercriminal group Gold Dupont.


Why is this Significant?

Although the Linux version of RansomExx was first reported in November 2020, a bug in its encryption process that leads to potential file corruption was not previously reported. This results in the victim being unable to recover the encrypted files using the RansomExx's decryption tool even if the ransom is paid.


What is RansomExx Ransomware?

RansomExx is a double extortion ransomware that demands ransom from the victim for decrypting the files it encrypted and not releasing the files it stole. RansomExx ransomware has been active since at least June 2020. Though the ransomware was initially available only for Windows platform, Linux version was later reported in November 2020 . According to some researchers, RansomExx is a rebrand of Defray777 ransomware. Security vendor Profero, who reported the potential file corruption by the ransomware on Linux systems, stated that attacks performed by the RansomExx gang are likely targeted as the ransomware is "specifically compiled for each attack, with the target organization's name included in the embedded ransom note".


In the past, the IcedID Trojan malware was reported as a distributing vehicle of RansomExx.


What is Gold Dupont?

A financially motivated threat actor behind RansomExx was dubbed "Gold Dupont" by some security researchers and appears to have been active since 2018. Threat arsenals such as Trickbot, IcedID, Cobalt Strike, PyXie and VatetLoader were potentially associated with Gold Dupont.


What is the Bug in RansomExx's Encryption Process that Leads to Potential File Corruption?

The bug is due to the lack of an adequate file locking mechanism while the ransomware encrypts files. Because of it, encryption could happen to a file at the same time as other application writing to it, which leads to file corruption. As the file is corrupted, even the decryption tool provided by the RansomExx gang to the paying victim is unable to decrypt the affected file.


What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage:

Linux/Ransomexx.A!tr

ELF/RansomEXX.A!tr

W32/Filecoder.OCN!tr.ransom

W32/Encoder.KBJ!tr.ransom


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.