Cybersecurity firm Profero has discovered that the RansomExx gang does not properly lock Linux files during encryption, resulting in potentially corrupted files.
In a new report from Profero, Senior Incident Responder Brenton Morris says the RansomEXX decryptor failed on various files encrypted by the threat actor’s Linux Vmware ESXI encryptor for one of the victims who paid the ransom.
After reverse engineering the RansomExx Linux Encryptor, Profero discovered that the problematic decryption was caused by insufficient locking of Linux files during the encryption.
If the ransomware tried to encrypt a Linux file at the same time as another process was writing without locking the file, the encrypted file would contain both encrypted data and unencrypted data appended afterwards, as shown below.
“Some strains of Linux ransomware attempt to lock files using. to get fcntl while others often do not try to lock files for writing, but either consciously take the risk of damaging the files or do so unknowingly due to a lack of Linux programming experience, “Morris told BleepingComputer.
“The Linux version of RansomEXX did not attempt to lock the file at all.”
When RansomExx encrypts a file, it appends an RSA-encrypted decryption key to the end of each encrypted file.
When a victim pays a ransom, the threat actor provides a decryptor that can decrypt the encrypted decryption key of each file and then decrypt the contents of the file.
However, because these problematic encrypted files had unencrypted data appended to the end of the file, the decryptor could not read the encrypted key properly and could not decrypt the file.
Fixed decryptor released
To help its customers and the wider cybersecurity community, Profero has released an open source RansomEXX decryptor that can decrypt files that are encrypted with this file locking problem.
Victims must still have received a decryption key from the threat actor, but they can now use a decryptor created by a cybersecurity firm instead of taking the time to review one provided by the threat actors.
“Because the attackers provide paying victims with a decryption tool that they must run to decrypt their files, there is a risk that the decryption tool could be malicious. This requires victims to reverse engineer the provided decryption tool to ensure there is no hidden payload or malicious data. “Features, a time investment that can be problematic for some companies during a ransomware incident,” explains Profero’s blog post.
Full instructions and how to use the command line to use the decryptor can be found in Profero’s post and on the decryptor’s GitHub page.