Over the last year, ransomware has been on the rise. And continues to target businesses every day across the globe. It was just a matter of time before everyone started wondering about the security of their Linux-based systems. Recent findings have confirmed that more strains of Linux ransomware are out and about with infections are on the rise.
If you are new to our site, I will give you a bit of an explanation as to what ransomware is.
Ransomware is a form of malware that encrypts files on your computer and demands money in exchange for the key to get your data back. So pretty much you have to pay an outrageous amount of money to get something back that was already yours...
In a business environment, ransomware can be very destructive, very fast. An infection can quickly lock you out of business-critical files and applications––not just on the initial infected computer, but across your entire network.
For many businesses, ransomware hurts operations and results in costly downtime. It can get very expensive, very fast. Between the business being lost while itd down and the cost to get your files back!
In 2017, WannaCry and GoldenEye made headlines for causing nightmares at organizations around the world. These strains were slightly unique from other ransomware variants in that they exploited vulnerabilities in unpatched versions of Microsoft Windows.
The exploit enabled the malware to spread outward fast, infecting many vulnerable machines across the network. In most attacks, the ransomware typically requires an unsuspecting user to open a malicious email attachment or visit a website with a malicious code.
Even without that outward-spreading capability, ransomware can be very destructive when a single user has access to all files and folders on a network. Imagine a CPA who has access to every clients income and tax information. The wrong click can not only put the company at a huge risk, but also all their clients.
Honestly, most people aren't surprised that ransomware has now expanded to Linux. One of the biggest reasons why Linux ransomware has been nonexistent so far is simply that hackers haven't bothered developing it.
More businesses than ever are now running on Linux. Its market share is a drop in the bucket compared to the number of machines running Windows. For hackers, it has been more profitable and efficient to focus their time, money and resources on developing Windows ransomware.
There are constantly online debates in regards to whether Linux is more secure against ransomware attacks. If you're in IT, then you are aware that no software or OS is 100-percent bulletproof. By targeting Linux, cybercriminals are testing the waters to see what kind of revenue streams can be created. And if recent attacks are any indication, then this ransomware could be quite lucrative for hackers.
Last June, shortly after the WannaCry outbreak, a Linux-based ransomware attack resulted in an outrageous sum paid to hackers. Yet the attack mostly stayed under the radar of major new organizations.
A South Korean web host, NAYANA was hit with ransomware that encrypted data on 153 Linux servers, disrupting 3,400 customer websites. Most ransomware demands average under $2,000. However, this attack wanted a lot more, around $4.4 million in Bitcoin. The company got lucky, and only paid $1 million, which is still outrageous.
The ransomware used in the particular attack is known as Erebus––a strain that has previously targeted Windows systems but has been recently modified for Linux. The infection that happened to be so successful of NAYANA's servers was likely from unpatched software. Security Trend Micro wrote:
"We can only infer that Erebus may have possibly leveraged vulnerabilities or a local Linux exploit. For instance, based on open-source intelligence, NAYANA's website runs on Linux kernel 2.6.24.2, which was complied back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to. Additionally, NAYANA's website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006."
No matter how the infection occurred, the incident was a clear sign that ransomware developers are now focused on Linux systems. Since the attack resulted in a large ransomware payout, we could bet to see the beginning of a new surge of Linux ransomware attacks to come.
Here is a closer look into how Linux ransomware goes to work:
Once the information is collected in GCONF the ransomware sends it to its botnet command-and-control servers.
2. Step 2, the encryption can begin. Erebus uses algorithms to randomly generate keys on the local machine, then encrypts the key using a RSA-2048 algorithm with its public key (which thus makes decryption impossible without the RSA-2048 private key).
The file encrypted by EREBUS ransomware contains the following information:
If it then renames the encrypted file with .encrypt extension and after encrypting the files in the folder, it drops the instruction files with the following names:
3. Lastly, it will ask for payment. After the completion of encrypting files, Erebus deletes itself from the infected server. The decrypt file then provides instructions for installing the TOR browser that has lists of several URLs for submitting payment.
The best possible way for removing ransomware from an infected Linux server is restoring a backup. Choose which recovery point from before the infection, and your files are back and the ransomeware is gone!
However depending on your backup system, you could run into problems:
Simply having backup is not enough! It's how you back up your data thats important. Don't rely on the guy down the hall, or yourself to be responsible for the backup of your companies files. Let us handle your data back-up to ensure that its done right the first time and every time.
We strongly encourage that you have a plan set in place for these situations. Whether it be for data backup, weather incidents, or internal issues. It is vital to have your data backed up in another location.
No matter the type of operating system, most ransomware infections begin with a malicious email attachment being opened or a bad link being clicked. The best way to prevent such infections from occurring in the first place is adopting a training program that instructs employees how to spot bad emails and practice safe Internet browsing.
These Stories on Vulnerability