Ransomware is a major cybersecurity threat that can attack Linux systems. Cybercriminals use advanced encryption techniques to extort victims, cause data loss, and damage business reputations. If attackers can compromise your Linux server, they can access sensitive data and disrupt operations, causing downtime and financial losses.
Recovering from a ransomware attack can be difficult and expensive. Paying the ransom to restore the system does not guarantee that the attackers will fully restore your data and operations. Your business might suffer reputational damage and legal challenges even if you achieve a full recovery.
Thus, if you use a Linux system, it’s important to be aware of the ransomware risks and prepare for the possibility of an attack.
This is part of a series of articles about ransomware protection.
In this article:
While Linux ransomware only represents a small share of cyberattacks, there are several reasons to be concerned. As a Linux user, you must not overlook ransomware even if it is not yet common on Linux-based systems. While Windows is the favorite for desktops, Linux dominates the market for supercomputers and servers. The Linux computing market is projected to grow to $22 billion by 2029.
Linux is an attractive target for attackers because it is commonly used for software development infrastructure. 2022 saw an increase of 75% in ransomware attacks that targeted Linux-based systems compared to the same period in 2021. Another concern is the rise in ransomware that can move between different platforms, such as Linux, Android, and iOS.
However, the main reason to take ransomware seriously when using Linux is that future attacks will likely increasingly focus on Linux systems. Thus, the proportion of ransomware attacks targeting Linux will grow, making it more crucial to protect your business.
Learn more in our detailed guide to ransomware on Linux (coming soon)
Linux ransomware involves diverse and sophisticated techniques to compromise Linux systems and extort money. A ransomware attack usually includes the following steps.
While Windows ransomware usually infects the target via email, Linux ransomware exploits system vulnerabilities or service flaws that allow the attacker to compromise Linux system files. Some ransomware varieties use vulnerability scanners to identify potential targets.
Once inside the Linux environment, an operator downloads a hidden ransomware executable, which the attacker copies to a local folder before terminating and removing the script. The ransomware is now active in the environment.
Many Linux ransomware variations can escalate privileges, enabling the operator to access restricted system resources. The initial infection only impacts the compromised web server, while privilege escalation enlarges the attack’s scope and impact.
This step prepares the Linux ransomware to operate smoothly, performing tasks like moving the malware to new folders to establish persistence. The ransomware acquires permission to run in recovery mode and at boot or to disable recovery mode. The ransomware operator communicates with the C2 server to generate the public key to enable encryption.
The ransomware scans the compromised system for cloud file storage repositories and file extensions of interest and maps their locations.
The main damage occurs in this step (previous steps are reversible). The ransomware uses a random symmetric key (generated using the public key) to encrypt target files. Usually, the operator creates encrypted versions and deletes the original files. Ransomware can stay dormant in the Linux environment before implementing encryption.
The ransomware displays a ransom note with payment instructions before terminating and deleting itself. The attackers wait for the victim to pay the ransom to an untraceable account in exchange for decrypting the locked files. Ransomware recovery firms can provide advice and (sometimes) find a decryption key to recover the files.
RansomEXX is a common Linux ransomware attack that has targeted high-profile companies, including the Brazilian government and the Texas Department of Transportation. It is a 64-bit, C-based ELF binary compiled with GCC. As a human-operated ransomware, it requires time to infect networks, steal credentials, and move laterally.
Once activated, RansomEXX uses a 256-bit key to encrypt files. Each malware sample includes the target organization’s hardcoded name. The email address that contacts the attacker and the encrypted file extension have the target’s name.
Tycoon first appeared in 2019 when attackers targeted software companies, SMBs, and higher education institutions. The ransomware payload is a ZIP archive with a booby trap – a malicious JRE component. Hackers hide it by compiling it in a Java image file.
Attackers usually breach target systems via unsecured RDP ports. They create custom JRE builds and execute the Java objects with shell scripts to encrypt the system and leave a ransom note.
Tycoon scrambles the target files with different AES keys and encodes data with RSA-1024. Victims usually have 60 hours to pay the Bitcoin ransom. Windows and Linux are both vulnerable to Tycoon.
Erebus originally affected Windows, but hackers have since created ransomware targeting Linux servers. It scans the server network for over 400 types of files, including databases, archives, and documents. Erebus combines RSA-2048, RC4, and AES cryptosystems to encrypt files and provides multilingual ransom notes.
QNAPCrypt infects network-attached storage (NAS) devices, usually spreading via SPAM emails or fake software activation tools and updates. The ransomware exploits poor authentication practices via SOCKS5 proxy connections. Once inside the system, it obtains an RSA public key from the attacker’s C2 server to begin encryption. It leaves text-file ransom notes with personalized messages.
Phishing isn’t the most common attack vector for Linux ransomware, but it’s essential that all members of your business team receive comprehensive cybersecurity training to minimize the threat. Make sure your staff knows how to identify suspicious messages, avoid clicking unknown links, and that browsers and critical systems are regularly updated and patched.
To maximize your business’s chances of surviving a ransomware attack, it’s important to plan ahead. There are several steps you can take to prevent and recover from an attack:
Endpoint detection and response (EDR) solutions work by collecting security events and indicators of compromise (IOCs) from endpoint devices. These IOCs aren’t enough to identify an attack, but they can tell security personnel where to go to detect an attack in progress. EDR tools also help detect tunneling, where attackers surreptitiously collect data and try to transfer it outside the network.
When a solution detects an attack, it can take immediate action. EDR tools isolate endpoints so incident response teams can deal with issues without compromised systems affecting the rest of the network.
Cynet 360 is an Advanced Threat Detection and Response platform that provides protection against threats, including ransomware, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.
Cynet provides a multi-layered approach to stop ransomware from executing and encrypting your data:
Learn more about how Cynet 360 can protect your organization against ransomware and other advanced threats.