Linux ransomware, an important concern

Although not a frequent target, and usually harder to exploit than other operating systems, Linux is not ransomware free. Mass ransomware attacks often target more popular operating systems, both among consumers with relatively fewer IT skills and businesses. However, targeted ransomware attacks go for a particular organization, so cyber criminals are looking to get a ransom irrespective of the operating systems in place. Thus, the organization that paid one of the highest ransom to recover files compromised by ransomware was the victim of a Linux ransomware variant.

Brief Linux ransomware history

The first known Linux ransomware variant is Linux.Encoder.1 and was identified back in 2015 when ransomware, as a significant phenomenon and security concern, had just started to rise. The impact of it was relatively low, but it was proof enough that Linux is not immune to ransomware, and that more variants are likely to appear in the following years.

One of the most significant attacks occurred in 2016 and infected a Nayana, a South-Korean web hosting company. The attack compromised over 150 Linux servers, owned by Nayana and affected over 3,000 websites belonging to Nayana customers. The ransomware used in this attack was a Linux variant of the Erebus ransomware, known for its impact on Windows operating systems. The attack vector was not identified; presumably, it is still related to exploiting vulnerabilities in the rather old Kernel versions used by the company at that time. The attackers demanded a ransom of over $4 M, but it was negotiated down to $ 1M in the end, one of the highest ransom known to be paid for recovering files.

Linux ransomware attack vectors

The attack vector of the first known Linux ransomware variant was vulnerability based. The ransomware spread by exploiting a vulnerability in a third-party Linux application. Similarly, the vector of the Erebus Linux variant is believed to be vulnerability related. Hence, there is an important difference between Linux and Windows ransomware variants: the Windows variants spread via email or malvertising and have a significant social engineering reliance, while Linux variants rely on exploiting vulnerabilities.

How can ransomware affect Linux machines?

Ransomware may affect Linux machines in two ways:

Directly, by infecting the computer with a Linux ransomware variant;
In general, ransomware exploits system vulnerabilities to gain root access to the computer or use vulnerabilities in popular Linux applications and services, like web servers and email servers, to compromise the associated files. An example of such a system vulnerability is the “Dirty cow” or “dirty copy-on-write” vulnerability that affected Linux and Android operating systems.

Indirectly, by infecting a Windows machine with write access to the files hosted on the Linux machine.
Reflected attacks, where a host is infected with ransomware and the malware attacks files on other computers using network shares or mapped drives, are quite common in both heterogeneous and non-heterogenous environments. In essence, if the user on Windows has “write” access, through a file sharing service, to the files on the Linux machine, then ransomware on Windows may encrypt the files on Linux, although the file system is different.

How to protect from ransomware on Linux

The ransomware protection advice for Windows applies for Linux as well, with a difference in priorities, given by the different vector of Linux ransomware.

Keep your system and applications up to date: this ensures most known vulnerabilities are addressed and greatly reduces the chance of a direct infection with a Linux ransomware variant;
Implement policies to secure the file sharing, especially between Linux and Windows. Avoid allowing write access for remote Windows users, to files hosted on Linux machines and, if not possible, implement restrictions and safeguards at file sharing protocol level. This reduces the chance of a Windows ransomware infection (more common than direct Linux ransomware infections) to affect files on Linux machines;
Maintain offline backups of your Linux files: this is the last line of defense in case things go wrong. Regular backups help recover from ransomware incidents with little file loss.


Linux malware increased in 2016 both in variants and rate of incidence (an independent report found that the number of attacks on Linux tripled). 2017 falls in the trend, and we are likely to see a further increase with ransomware having a significant contribution. Thus, it is essential to implement security controls to protect Linux machines as well.

For more information, follow us on social media and subscribe to our newsletter.

2 replies
  1. Martin Schultz
    Martin Schultz says:

    Indeed there is ransomware for Linux and it should be a concern for businesses heavily relying on Linux. However, there is little information about such ransomware and also about solutions to protect against it.
    From the advice above, training is something obvious, for sure, but when it comes to detecting and blocking ransomware, or at least monitoring suspicious file activity that may be related to ransomware, there are few solutions that can be easily adopted in large Linux environments.

  2. Calin_TEMASOFT
    Calin_TEMASOFT says:

    Indeed, the dedicated anti-ransomware technology did not make it on Linux yet. However, the file activity can be monitored via dedicated tools that also support Linux. TEMASOFT FileMonitor allows monitoring file activity on Linux machines.
    This may prove helpful in catching suspicious activity very fast.

Comments are closed.