The first known Linux ransomware variant is Linux.Encoder.1 and was identified back in 2015 when ransomware, as a significant phenomenon and security concern, had just started to rise. The impact of it was relatively low, but it was proof enough that Linux is not immune to ransomware, and that more variants are likely to appear in the following years.
One of the most significant attacks occurred in 2016 and infected a Nayana, a South-Korean web hosting company. The attack compromised over 150 Linux servers, owned by Nayana and affected over 3,000 websites belonging to Nayana customers. The ransomware used in this attack was a Linux variant of the Erebus ransomware, known for its impact on Windows operating systems. The attack vector was not identified; presumably, it is still related to exploiting vulnerabilities in the rather old Kernel versions used by the company at that time. The attackers demanded a ransom of over $4 M, but it was negotiated down to $ 1M in the end, one of the highest ransom known to be paid for recovering files.
The attack vector of the first known Linux ransomware variant was vulnerability based. The ransomware spread by exploiting a vulnerability in a third-party Linux application. Similarly, the vector of the Erebus Linux variant is believed to be vulnerability related. Hence, there is an important difference between Linux and Windows ransomware variants: the Windows variants spread via email or malvertising and have a significant social engineering reliance, while Linux variants rely on exploiting vulnerabilities.
Ransomware may affect Linux machines in two ways:
Directly, by infecting the computer with a Linux ransomware variant;
In general, ransomware exploits system vulnerabilities to gain root access to the computer or use vulnerabilities in popular Linux applications and services, like web servers and email servers, to compromise the associated files. An example of such a system vulnerability is the “Dirty cow” or “dirty copy-on-write” vulnerability that affected Linux and Android operating systems.
Indirectly, by infecting a Windows machine with write access to the files hosted on the Linux machine.
Reflected attacks, where a host is infected with ransomware and the malware attacks files on other computers using network shares or mapped drives, are quite common in both heterogeneous and non-heterogenous environments. In essence, if the user on Windows has “write” access, through a file sharing service, to the files on the Linux machine, then ransomware on Windows may encrypt the files on Linux, although the file system is different.
The ransomware protection advice for Windows applies for Linux as well, with a difference in priorities, given by the different vector of Linux ransomware.
Keep your system and applications up to date: this ensures most known vulnerabilities are addressed and greatly reduces the chance of a direct infection with a Linux ransomware variant;
Implement policies to secure the file sharing, especially between Linux and Windows. Avoid allowing write access for remote Windows users, to files hosted on Linux machines and, if not possible, implement restrictions and safeguards at file sharing protocol level. This reduces the chance of a Windows ransomware infection (more common than direct Linux ransomware infections) to affect files on Linux machines;
Maintain offline backups of your Linux files: this is the last line of defense in case things go wrong. Regular backups help recover from ransomware incidents with little file loss.
Linux malware increased in 2016 both in variants and rate of incidence (an independent report found that the number of attacks on Linux tripled). 2017 falls in the trend, and we are likely to see a further increase with ransomware having a significant contribution. Thus, it is essential to implement security controls to protect Linux machines as well.
For more information, follow us on social media and subscribe to our newsletter.
This post was last modified on August 21, 2023 7:27 am
In the digital world, information is often stored and transferred through files. From the most…
Introduction Data security is more important than ever in today's fast-paced digital world. One critical…
Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…
Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…
File tracking is an important aspect of server administration, and it can help administrators detect…
File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…