Profero, a cybersecurity firm, revealed that the RansomEXX gang does not properly lock Linux files after encryption, potentially resulting in damaged data.
According to Profero’s new report, various files encrypted by the threat actor’s Linux VMware ESXI encryptor were not decoded with the RansomEXX decryptor for one of the gang’s ransom-paying victims.
Profero determined that the problem in decryption was caused by Linux files not being correctly locked when they were encrypted.
If the ransomware attempt to encrypt a Linux file while another process is writing to it without the file being locked, the encrypted file would have both encrypted and unencrypted data appended to it.
It usually happens because some Linux ransomware strains will seek to obtain a file lock using fcntl. Still, others will typically not attempt to lock files for writing and instead risk damaging the files deliberately or unwittingly because of not having proper Linux programming knowledge.
The Linux version of RansomExx didn’t even try to encrypt the file.
When RansomEXX encrypts a file, it adds an RSA encrypted decryption key at the end. If a victim pays a ransom, the threat actor will provide a decryptor that can decrypt each file’s encrypted decryption key before decrypting the file’s contents.
However, because these problematic encrypted files included unencrypted data at the end, the decryptor could not correctly read the encryption key and failed to decrypt the file.
Profero has developed an open-source RansomEXX decryptor to help clients and the larger cybersecurity community decrypt files encrypted by the gang.
Victims must still get a decryptor key from the threat actor, but instead of spending time vetting one given by the threat actor, they may instead use one created by a cybersecurity firm.
“Because the attackers provide paying victims with a decryption tool they must run to decrypt their files there is a risk that the decryption tool may be malicious. This requires affected victims to reverse engineer the provided decryption tool to ensure there is no hidden payload or malicious features, a time investment that can be problematic for some organizations during a ransomware incident,” explained Profero.