In light of the pandemic, and the digital transformation that has taken place in the last few years, the majority of companies now allow employees to work from home. As a result of this change, vital and confidential information has become more accessible. As the number of network access points increases, it becomes more vulnerable to attacks and attackers are taking advantage of this situation.
Several security reports and warnings point out an increase in the number of cybercrimes after the beginning of the COVID-19 pandemic and the adoption of remote work.
According to the FBI, cyber-attacks caused losses of almost $ 4.2 billion in 2020. This represents a 20 percent increase over the previous year. In recent reports, Verizon and Europol also claim that digital attacks are booming.
One of the most recurring threats in these reports and warnings is the subject of this article: ransomware. Ransomware, one of the biggest digital threats today, is malware that encrypts data and systems. It blocks all access until the ransom is paid. It is a sophisticated threat that has evolved a lot over the years, adapting to different situations, platforms, and operating systems.
This article lists the most famous Linux ransomware attacks and explains how to protect your Linux-based operating system from ransomware.
Why is Linux a Target of Ransomware?
Linux is on the list of the most used operating systems, both by individual desktop users and by organizations running servers. Linux is a target of ransomware, both by desktop users and organizations running servers. It is this main reason that criminals are interested in ransomware. Exploiting loopholes within one of the largest operating systems on the planet can generate a lot of victims. This is also a way to access valuable business information. When we discuss the gaps and flaws of operating systems, the majority of the time it is not the system but how it’s managed and used. Verizon reports that brute force attacks and stolen credentials are the most common vectors for ransomware. 74.2% of all web servers such as phishing is also a major threat. Additional vectors are also problems of misconfiguration, patch management, and untrained SysAdmins.
Ransomware Attacks on Linux Systems
Defrat777
1. RansomEXXmalicious emailsRansomEXX (or) is one of the most common recent ransomware attacks against Linux. This ransomware attacked several high-end targets in 2020 and 2021, including:
The Brazilian government network.The Texas Department of Transportation (TxDOT).Konica Minolta.
- IPG Photonics.
- Tyler Technologies.
- RansomEXX is a C-based 64-bit ELF binary compiled with the GNU Compiler Collection (GCC). Ransomware is a human-operated ransomware, which means that threat actors will need to have time to compromise networks, steal credentials and spread across multiple devices. A public RSA-4096 encrypts the AES key, but the attack also includes a thread that re-encrypts the AES key every second.
- Unlike most Trojans, RansomEXX does not have:
- C&C communication (C2).
Termination of running processes.
Anti-analysis tricks and traps.
RansomEXX is a highly targeted attack. Each sample contains the hardcoded name for the victim’s organisation. The victim’s name is used for both the encrypted file extension as well as the email address to contact the attackers.
- 2. Tycoon
- Tycoon is one of the more common Linux ransomwares in recent years. The first cases of this ransomware occurred in late 2019 when hackers went after:
- Higher education organizations.
Companies in the software industry.
Small and midsize businesses.
The Tycoon payload is a booby-trapped ZIP archive with a malicious Java Runtime Environment (JRE) component. Hackers compile the ransomware in a Java image file to conceal the danger.
- Typically, Tycoon hackers breach a system via an unsecured remote desktop protocol (RDP) port. Once inside, the intruders create a Java image with a custom JRE. The attackers execute the Java object using a shell script. This encrypts the system, and leaves a config with a ransom message. The victim is given a 60-hour time frame to pay bitcoins for the key. Tycoon attacks can affect both Windows and Linux OSs.
- 3. Erebus
- Erebus gained notoriety after it infected a South Korean web hosting company in 2017. The breach affected over 3,400 websites and 153 Linux servers. The company agreed to pay an equivalent of $1 million in Bitcoins to restore its digital infrastructure, which was the highest ransomware payout at the time.
Initially, Erebus was Windows-based and exploited a flaw in the User Account Control feature. Hackers repurposed Erebus and created ransomware targeting Linux servers. Once inside a server’s network, Erebus scans for more than 400 file types for encryption, including:
Databases.
Archives.
Documents.
Multimedia items.
Erebus relies on a fusion of RSA-2048, AES, and RC4 cryptosystems for encryption. The ransomware’s note is multilingual. This shows that the attackers are targeting a wide range of targets. QNAPCrypt
- QNAPCrypt first appeared in July 2019. QNAPCrypt is spread via:
- SPAM email campaigns with infectious files (typically Office docs, archives (ZIP, RAR), executables, PDFs and JavaScript files).
- Unofficial software activation tools.
- Fake software updates. QNAPCrypt typically spreads via:
SPAM email campaigns with infectious files (typically Office docs, archives (ZIP, RAR), executables, PDFs, and JavaScript files).
Unofficial software activation tools.
Fake software updates.
- A QNAPCrypt relies on flawed authentication practices in connections through a SOCKS5 proxy. Once hackers gain access to a system and execute the payload, the ransomware reaches out to the hacker’s C2 server for an RSA public key and starts file encryption.
- The ransom note is a text file with a personalized message that demands a payment in Bitcoin. Each attack uses a different Bitcoin wallet.
- 5. KillDisk
Like Erebus before it, KillDisk was a Windows-only threat that expanded to Linux environments in Jan 2017.
The Linux version of KillDisk replaces the GRUB Bootloader and prevents the target system booting. The ransom note appears in full screen and demands payment via Bitcoin. Due to the program’s nature, some security experts believe paying the ransom is futile as data recovery is likely impossible.
The No More Ransom Project
If your Linux system has been exposed to ransomware, do you know what to do?
First, it is recommended that you do not pay the ransom as other agencies and companies have advised. It is best to start by seeking expert advice on the matter. The No More Ransom Project (NMR) is a global project that brings together leading security agencies, companies, and organizations to combat ransomware. The project was started in 2016.
NMR provides decryption software to victims of attacks. The project is estimated to have helped over 200,000 victims of ransomware recover their data. And the best part? It was free.
Tips for Preventing Linux Ransomware Attacks
When dealing with ransomware, prevention is much more cost effective than remediation. Use server security best practices in order to avoid ransomware attacks. Check out the Guide to Preventing & Detecting ransomware. By knowing about the power of Linux Ransomware, and by getting our cybersecurity tips you will be able to keep your data safe and make it more difficult for hackers.
About The Author
