Heimdal
article featured image

Contents:

Interlock ransomware operators created an encryptor meant to target FreeBSD servers. This is a practice that hackers often use in attacks on VMware ESXi servers and virtual machines.

Now, the security researchers analyzed a sample of the FreeBSD ELF encryptor and the results were unsettling. FreeBSD machines became an interesting enough target for threat actors to make the effort to build dedicated malware.

Bleepingcomputer’s journalist, Lawrence Abrams, observed that

While it is common to see Linux encryptors created to target VMware ESXi servers and virtual machines, it is rare to see ones created for FreeBSD. The only other ransomware operation known to have created FreeBSD encryptors is the now-defunct Hive ransomware operation, which was disrupted by the FBI in 2023.

Source – Bleepingcomputer.com

What makes FreeBSD servers an interesting target?

FreeBSD is an operating system rooted in a UNIX® version that originated at Berkeley. You can read more about it here. It’s free, easy to install, and supports software for desktops, servers, and embedded environments. See the list of platforms that FreeBSD supports.

It’s got a 0.35% market share and 3,107 customers. This could sound less impressive, if you omit that giant brands like Apple, Oracle, Cisco, Dell, WhatsApp, Microsoft Azure, and various public services rely on FreeBSD for their servers.

The top three products and services offering customers that use FreeBSD for Server and Desktop OS are Cloud Services (87), Higher Education (81), Managed Services (80).

Source – 6sense.com

So, a successful ransomware attack on a FreeBSD server would have a massive impact on organizations that depend on service and data from the brands I’ve mentioned.

 

On September 30th, 2024, Texas Tech University Health Sciences Center was tagged as a victim of Interlock. The ransomware attack caused TTUHSC to cancel classes in Amarillo, the Permian Basin, Abilene, Dallas, and El Paso. This was one of Interlock’s first claimed attacks.

How to keep servers safe from Interlock ransomware

Ransomware prevention includes a set of endpoint security best practices that any organization should follow. Here are four of the most effective methods to keep ransomware from spreading or even entering your system:

  • Keep software up to date, on all devices, servers included. Automated patch management tools, like Heimdal’s Patch and Asset Management enable security teams to close known vulnerabilities before an attacker finds them in a system.
  • Implement a Privileged Access Management (PAM) policy, supported by a professional PAM solution. This way you can control who, when, and for how long has access to sensitive data that hackers could target.
  • Use a DNS security tool for DNS filtering. Some DNS filtering engines can spot malicious domains before they are reported as such. It is the case with Heimdal’s DNS security solution, which can spot with 96% accuracy whether a domain is harmful. Thus, it stops any kind of malicious communication, to and from the Command-and-control center.
  • Ransomware encryption protection is one more layer that keeps ransomware attackers away. It’s security software that detects ransomware regardless of signature. It quarantines files and processes as soon as it detects an encryption attempt. Read more about how it works here.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE