Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
In the ever-evolving landscape of cyber threats, ransomware has emerged as a pervasive menace, causing widespread damage to individuals and organizations. While most ransomware attacks have historically targeted Windows systems, the rise of Linux ransomware has thrown a new curveball into the mix.
Renowned for its robust security features, Linux is no longer immune to the sinister clutches of ransomware. It is now imperative for organizations to understand the nature of Linux ransomware, recognize its potential impact, and proactively adopt measures to safeguard their valuable digital assets.
This article delves into the world of Linux ransomware, shedding light on the nature of these attacks, notable examples that have caused substantial disruptions, the methods employed by cybercriminals to exploit vulnerabilities, and, most importantly, how organizations can fortify their defenses against such threats.
What Is Linux Ransomware?
In general, Linux ransomware refers to a category of malware that targets computers running the Linux operating system, including Ubuntu and Debian editions. This kind of attack will compromise a device or network, which will then identify and encrypt crucial documents.
Exploiting loopholes in one of the most powerful operating systems in the world has the potential to generate many victims. It is also an entry point to valuable business data so it’s no surprise that Linux systems are susceptible to ransomware.
Did you know that 2022 saw an increase of 75% in ransomware attacks that targeted Linux-based systems compared to the same period in 2021? These cybercriminals exploit cutting-edge encryption methods to extort individuals, destroy data, and harm companies’ reputations. If intruders manage to take over your Linux server, they can access confidential information and obstruct business activities, leading to downtime and financial losses.
Why Is Linux Ransomware a Rising Concern?
Even though ransomware isn’t currently prevalent on Linux-based systems, Linux users should definitely not ignore it.
Windows is the preferred operating system for desktop computers, but Linux rules the supercomputer and server markets. By 2029, the Linux computing market is anticipated to reach $22 billion. Linux is a popular choice for infrastructure for software development, making it a desirable target for attackers.
However, the primary reason Linux users should take ransomware seriously is that future assaults will probably concentrate more on Linux computers. As a result, the percentage of ransomware assaults that target Linux will increase, making it even more essential to safeguard your company.
The Anatomy of a Linux Ransomware Attack
Ransomware attacks use diverse and sophisticated techniques to compromise Linux systems and extort money. Typically, Linux ransomware attacks include the following steps:
- Initial Infection
Some ransomware varieties use vulnerability scanners to identify potential targets, while Windows ransomware usually infects the target via email. Linux ransomware typically exploits system vulnerabilities or service flaws.
Upon entering the Linux environment, an operator downloads a hidden ransomware executable, which the attacker copies to a local folder before terminating and removing the script.
The initial infection only affects the compromised web server, whereas privilege escalation extends the scope and impact of the attack.
- Staging the Attack
By performing tasks such as moving the malware to a new folder to establish persistence, this step prepares the Linux ransomware to operate smoothly. The ransomware requires permission to run in recovery mode and at boot or turn off recovery mode. The ransomware operator communicates with the C2 server to generate the public key for encryption.
- System Scanning
Linux ransomware scans a compromised system for cloud storage repositories and file extensions of interest, and maps their locations.
- Encryption
Once the ransomware has terminated and deleted itself, it displays a ransom note with payment instructions. In exchange for decrypting the locked files, the attackers wait for the victim to pay the ransom to an untraceable account. As well as providing advice, ransomware recovery firms can sometimes find the decryption key.
- Extortion
Before terminating and deleting, the ransomware displays a ransom note with payment instructions. The attackers wait for the victim to pay the ransom to an untraceable account in exchange for decrypting the locked files.
Linux Ransomware Attack Examples
LockBit
LockBit is no stranger when it comes to ransomware attacks. However, experts began detecting LockBit Linux-ESXi Locker Version 1.0 cases on Linux computers in October 2021, despite LockBit being one of the most prominent families of Windows ransomware. In addition to using Advanced Encryption Standard (AES) and Elliptic Curve Cryptography (ECC) algorithms for data encryption, LockBit also can log:
- Information about the processor;
- System volumes;
- Skipping virtual machines;
- Files encrypted and total files;
- Encrypted virtual machines and total virtual machines;
- Total encrypted size.
The LockBit variant contains the commands necessary to take several harmful steps, including suspending virtual machines, checking the status of data storage, and disabling autostart. After installing LockBit, it demands a ransom and threatens to release data if it is not paid.
RansomEXX
A common Linux ransomware attack, RansomEXX, has targeted high-profile companies, including the Brazilian government and the Texas Department of Transportation. It is a 64-bit, C-based ELF binary compiled with GCC. As a human-operated ransomware, it takes time to infect networks, steal credentials, and move laterally.
It uses a 256-bit key to encrypt files. Each malware sample contains the target’s hardcoded name. The email address that contacts the attacker and the encrypted file extension contain the target’s name.
Tycoon
As of 2019, Tycoon has been targeting software companies, SMBs, and higher education institutions. The ransomware payload is a ZIP archive with a booby trap – a malicious JRE component that hackers hide in a Java image file.
Usually, attackers break into target systems via unsecured RDP ports. They build custom JRE builds and run shell scripts to encrypt the system. The Tycoon ransomware scrambles target files with different AES keys and encrypts data with RSA-1024. Windows and Linux are both vulnerable.
Erebus
A ransomware variant of Erebus initially targeted Windows but has since been targeted at Linux servers. Erebus scans the server network for over 400 types of files, including databases, archives, and documents. It encrypts files using RSA-2048, RC4, and AES cryptosystems and provides ransom notes in multiple languages.
QNAPCrypt
Typically, QNAPCrypt spreads via spam emails or fake software activation tools and updates to network-attached storage devices. SockS5 proxy connections allow the ransomware to exploit poor authentication practices. Once inside the system, it obtains an RSA public key from the attacker’s C2 server and starts encryption. Ransom notes are left in text files.
How Can Companies Protect Themselves From Linux Ransomware Attacks?
Linux ransomware attacks can be devastating for companies, but there are several steps they can take to protect themselves. Here are some important measures to consider:
- Regularly update software and patches: Keep all Linux-based systems, applications, and software up to date with the latest security patches. Attackers can exploit vulnerabilities in outdated software.
- Implement strong access controls: Use strong passwords and two-factor authentication (2FA) to secure user accounts. Limit access privileges to only those who need them and regularly review and revoke unnecessary access.
- Employ robust backup and recovery strategies: Regularly back up critical data and ensure backups are stored securely offline or in a separate network. Test the backup and recovery process to verify its effectiveness.
- Regularly perform vulnerability assessments and penetration testing: Identify and address vulnerabilities in the system by conducting regular security assessments. Penetration testing can help identify weaknesses and provide insights for strengthening defenses.
- Develop an incident response plan: Create a detailed incident response plan that outlines steps to take in the event of a ransomware attack. This includes isolating affected systems, notifying relevant stakeholders, and engaging appropriate external support.
- Implement EDR: EDR solutions collect security events and indicators of compromise (IOCs) from endpoint devices as part of their detection and response processes. Security personnel can use these IOCs to detect an attack in progress, but they don’t suffice to identify an attack. An EDR tool can also detect tunneling, where attackers attempt to transfer data outside a network while surreptitiously collecting it.
How Can Heimdal® Protect Your Business Against Linux Ransomware Attacks?
Heimdal’s Extended Detection & Response (XDR) has got you covered, even when dealing with complex, multi-vector attacks. Unlike typical point security systems, which work in silos, our XDR platform offers end-to-end unified security. With total visibility across your whole IT infrastructure made possible by this seamless connectivity, threats may be identified and dealt with more quickly and effectively. As a result, it takes far less time to find and fix security incidents.
See for yourself here.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.
