RansomExx malware offers new features to bypass detection
The APT group DefrayX has launched a new version of its RansomExx malware known as RansomExx2, a variant for Linux rewritten in the Rust programming language, possibly to avoid detection by antivirus software because Rust benefits from lower AV detection rates compared to those written in more common languages, according to IBM Security X-Force Threat researchers.
Rust has the advantage of being platform-agnostic, in addition to being harder to detect and reverse-engineer. As a result, while the new version of RansomExx runs on Linux, IBM predicts that a Windows version will be available soon, assuming it isn’t already loose and undetected.
RansomExx is a ransomware family that has been active since 2018. It is also known as Defray777 and Ransom X. Since then, it has been linked to a number of attacks on government agencies, manufacturers, and other high-profile entities such as Embraer and GIGABYTE.
RansomExx2 works in the same way as its C++ predecessor, and it accepts a list of target directories to encrypt as command line input. When run, the ransomware recursively traverses each of the specified directories, enumerating and encrypting the files with the AES-256 algorithm.
As input, the ransomware expects to be given a list of directory paths to encrypt. It does not encrypt anything if no arguments are passed to it. The ransomware requires the following command line format in order to execute properly.
When the ransomware is executed, it propagates through the designated directories, identifying and encrypting files. Except for the ransom notes and previously encrypted files, all files greater than or equal to 40 bytes are encrypted.
Each encrypted file gets its own file extension. RansomExx ransomware file extensions are frequently based on a variant of the target company name, sometimes followed by numbers such as ‘911’ or random characters.
IBM reported that one sample that it analyzed “was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission” and that “the new sample is still only detected by 14 out of the 60+ AV providers represented in the platform.”
The sources for this piece includes an article in DarkReading.