Threat Database Ransomware RansomExx Linux Ransomware

RansomExx Linux Ransomware

Cybersecurity researchers have analyzed the ransomware threat deployed by the RansomExx Ransomware hackers and discovered that it may botch its encryption routine. The result is that even after victims have paid the demanded ransom to the attackers and received the decryptor key and tool that are supposed to restore their files, the data could still remain damaged, inaccessible, and ultimately, unusable. 

The RansomExx Linux Ransomware, as its name suggests, targets Linux systems and locks the files stored there. Unfortunately, due to either a deliberate choice or unfamiliarity with Linux, the coding of the encryption process is not thoroughly thought out. The infosec researchers discovered that the threat doesn't lock the files it is encrypting currently. This allows new data to be written to the file by another currently active process. The end result is a file with encrypted data appended by a chunk of unencrypted data.

The issue arises when the victims have decided to yield and pay the demanded amount to the attackers, hoping to get their data back as soon as possible. The dedicated decryptor tool received from the threat actor first decrypts each file's decryption key and then proceeds to use the key to restore the file itself. However, the presence of normal data appended at the end of the file causes the decryptor to fail in procuring the key and the file remains locked. 

To help victims who in this situation have both lost their files, as well as a sizable chunk of money, experts have released a free decryptor that fixes the issue and salvages the affected files successfully. Unfortunately, it still requires the decryption key possessed by the RansomExx hackers to work.

The situation with the RansomExx Linus Ransomware shows that paying the hackers is not a viable solution, as it still carries enormous risks. The decryptors may not work properly or they could carry additional corrupted payloads that will be delivered to the system. Meanwhile, the attackers could use the ransom funds to start planning their next nefarious operation.  


Most Viewed