Kaspersky researchers recently discovered a new file-encrypting Trojan built as an executable and linkable format (ELF) that encrypts data on machines controlled by Linux-based operating systems.

This was significant because researchers considered this the first time a major Windows ransomware strain – RansomEXX – was ported to Linux. W3Techs reports that 28.8 percent of all web servers run on Linux.

According to a report last Friday, after initial analysis, the Kaspersky researchers noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion that pointed to an encounter with a Linux strain of the RansomEXX ransomware family.

This malware – a highly-targeted Trojan – is notorious for attacking large organizations and was most active earlier this year.

Several organizations have fallen victim to this malware in recent months, including the Texas Department of Transportation (TxDOT) and Konica Minolta.

Javvad Malik, security awareness advocate for KnowBe4, said the attack against Linux systems demonstrates the ever-evolving nature of these criminal gangs. Malik said ransomware no longer simply encrypts the first endpoint it lands on; instead criminals spend days, weeks, or even months within an organization exfiltrating data and identifying the most lucrative data to encrypt with ransomware.

“With so many servers running Linux, it makes sense for criminals to target those with ransomware as opposed to endpoints which are comparatively easier to restore,” Malik said. “These tactics will continue to grow, so it's important for organizations to look at and prevent the root cause for how these attacks are successful. This includes a combination of technical controls as well as providing adequate security awareness and training to users.”