Security News > 2021 > September > RansomExx ransomware Linux encryptor may damage victims' files
Cybersecurity firm Profero has discovered that the RansomExx gang does not correctly lock Linux files during encryption, leading to potentially corrupted files.
In a new report by Profero, Senior Incident Responder Brenton Morris says the RansomEXX decryptor was failing on various files encrypted by the threat actor's Linux Vmware ESXI encryptor for one the victims who paid the ransom.
After reverse-engineering the RansomExx Linux encryptor, Profero discovered that the problematic decryption was caused by Linux files not being adequately locked while they were encrypted.
Without the file being locked, if the ransomware attempted to encrypt a Linux file simultaneously as another process wrote to it, the encrypted file would contain both encrypted data and unencrypted data appended after it, as shown below.
"Some strains of Linux ransomware will attempt to acquire a file lock using fcntl while others will often not attempt to lock files for writing, and instead either knowingly choose to take the risk of corrupting the files or do so unknowingly due to lack of Linux programming experience," Morris told BleepingComputer.
"Because the attackers provide paying victims with a decryption tool they must run to decrypt their files there is a risk that the decryption tool may be malicious. This requires affected victims to reverse engineer the provided decryption tool to ensure there is no hidden payload or malicious features, a time investment that can be problematic for some organizations during a ransomware incident," explains Profero's blog post.