It sometimes seems that a new, extremely dangerous, form of ransomware is being discovered every week. The past few months have offered no reprieve. On Nov. 6, the security researchers at Kaspersky Lab, announced that they had found a new version of the ransomware RansomEXX. Unlike other varieties, this updated RansomEXX seems to exclusively target Linux systems, according to SiliconANGLE.
Keeping track of all of the ways that your organization's devices can be held hostage is exhausting. Avoiding the riskiest programming languages, like Java, is a great starting place.
A new target
While RansomEXX cyberattacks are nothing new, the form recently detected by Kaspersky is unique from its predecessors because it seems to exclusively live on Linux operating systems. RansomEXX, and ransomware as a whole, is most commonly associated with the Microsoft Windows operating system. However, some experts say this may be rapidly changing.
"Although not unique, it is rare to see ransomware appear on Linux … As usage of cloud resources has ramped up, the ability to have eyes on all of your cloud workloads and potential threats has diminished," Gavin Matthews, a product manager at cybersecurity firm Red Canary Inc., said in an interview with SiliconANGLE.
The new form of RansomEXX works by generating a 256-bit key and using to encrypt all of the available files. While strategy is relatively common for ransomware, researchers have noted that the Linux form of RansomEXX is limited compared to some other threats that use a similar strategy. For example, the attack can not reach command-and-control servers or deploy its own anti-security tools. These limitations make the threat easier to detect, but does not mean that it is not extremely dangerous.
So far, Linux based RansomEXX has been used on several high-profile targets, including the Texas Department of Transport, the laser company IP Photonics Corp. and the Brazilian Court system. The cyberattack in Brazil was particularly impactful, affecting both the system's data as well as its backups and leading the courts to suspend sessions temporarily. Many court cases in the country were being held virtually as a result of the COVID-19 pandemic. According to ZDNet, the attack was being described by some experts as "the worst ever cybersecurity incident ever recorded in Brazil."
In addition to its unique focus on Linux systems, the new form of RansomEXX stands out for some quirks in its code. Both the encrypted file extension and listed email address attached to each attack have the name of the victim included. This means that the program can only be used in attacks with a specific target and can't be spread naturally.
The rise of ransomware in 2020
It's no secret that the uncertainty of 2020, with many organizations converting to remote work without full security protocols in place, have been a boon for hackers. Ransomware in particular has been on the rise as of late. According to Security Infowatch, in the past year a company has been attacked by ransomware an average of every 11 seconds. The total cost of these cyberattacks is speculated to reach $20 billion by 2021. In addition to smaller organizations across the globe, many larger organizations, including Tyler Technologies and Tesla, were also victims.
Many of the most common ransomware threats utilized the Java coding language to embed themselves in devices. For example, the threat known as Tycoon has far been found to only attack systems with Java code, due to its appropriation of the JIMAGE file format. The recently discovered ransomware has been found in the servers of accounting, software and entertainment companies. Like RansomEXX, Tycoon has been found on Linux operating systems, in addition to Windows. While Tycoon has resulted in intellectual property theft, it has not yet caused any financial damage. As companies look forward to 2021, that may quickly change.
Other serious ransomware threats that gained new levels of notoriety in 2020 include NetWalker, which has mostly targeted health care providers during the COVID-19 pandemic, and REvil, which was used to steal the personal information of celebrities like Drake, Elton John, Mariah Carey and Robert De Niro.
The shortcomings of Java
The rise of Tycoon, and other ransomware threats like it, demonstrate the ways that even with an effective patching strategy, Java code and other less secure programming languages can still be exploited. While Java is an essential building block of many programs, its ubiquity also makes it uniquely vulnerable to cyberattacks. Getting rid of unsecured, obsolete Java terminals or mainframes that run heavily on Java is one of the easiest and most important ways to shore up your network. The Terminal Emulation tools offered by the Inventu Corporation can mitigate the risk completely.