What is Linux ransomware? how to avoid it

What is Linux ransomware? how to avoid it
7 min read

Protecting your business from ransomware is challenging, especially when using multiple operating systems, each with its own level of security and risk. Employees may be using a combination of Windows, MacOS, Linux and mobile operating systems, making it difficult to ensure the consistency of your business security.
 
This article will cover Linux ransomware, so what is it? How dangerous is it? and what can be done to prevent it? Next, let's find out together!

What is Linux ransomware?

Linux ransomware is a type of malware that can attack systems based on the Linux operating system (including distributions such as Ubuntu and Debian). This type of attack will infiltrate a device or network, identify important documents, and encrypt them.

Typically, the first time an attack is noticed is when a message is sent asking for payment to return encrypted files. For an individual, this is scary, but for a business, it can cause irreparable damage to operations and customer trust.

Harmful effects of Linux ransomware

Linux ransomware uses diverse and sophisticated techniques to compromise Linux systems and extort money. Typically a ransomware attack includes the following steps:

Step 1: Exploit vulnerabilities

While Windows ransomware typically infects targets via email, Linux ransomware exploits system vulnerabilities or service errors that allow attackers to compromise Linux system files. Some types of ransomware use vulnerability scanners to identify potential targets.

Once in the Linux environment, the attacker downloads a hidden ransomware executable file, which the attacker copies to a local folder before terminating and deleting the script. Ransomware is currently active in the environment.

Many variants of Linux ransomware can escalate privileges, allowing operators to access restricted system resources. The initial infection only affects the compromised web server, while privilege escalation expands the scope and impact of the attack.

Step 2: Install the attack

This step prepares Linux ransomware to operate smoothly, performing tasks such as moving malware to new folders to establish persistence. Ransomware gets permission to run in recovery mode and on recovery mode startup or shutdown. The ransomware operator contacts the C2 server to generate a public key to enable encryption.

Step 3: Scan the system

Ransomware scans compromised systems for cloud file stores and file extensions of interest and maps their locations.

Step 4: Encryption

The main damage occurs in this step (previous steps are reversible). Ransomware uses a random symmetric key (generated using a public key) to encrypt target files. Usually, the operator creates encrypted versions and deletes the original files. Ransomware may not work in Linux environments before encryption is implemented.

Step 5: Blackmail

The ransomware displays a ransom message with payment instructions before terminating and deleting itself. Attackers will threaten and wait for victims to pay a ransom to an untraceable account in exchange for decrypting locked files. Ransomware recovery companies can offer advice, negotiate or sometimes find the decryption key themselves to recover files.

Linux ransomware

Types of Linux ransomware

1.Erebus

Erebus initially affected Windows, but hackers later created ransomware targeting Linux servers. It scans the server network for over 400 file types, including databases, archives, and documents. Erebus combines RSA-2048, RC4, and AES cryptosystems to encrypt files and provide multilingual ransom notes.

2. RansomEXX

RansomEXX is a popular Linux ransomware attack targeting prominent companies, including the Brazilian government and the Texas Department of Transportation. It is a 64-bit, C-based ELF binary compiled with GCC. As a human-operated ransomware, it takes time to infect the network, steal credentials, and move laterally.

Once activated, RansomEXX uses a 256-bit key to encrypt files. Each malware sample includes the hardcoded name of the target organization. The attacker's contact email address and an encrypted file extension with the target's name.

3. Boss

Tycoon first appeared in 2019 when attackers targeted software companies, SMBs, and higher education institutions. The ransomware payload is a ZIP archive with a booby trap – a malicious JRE component. Hackers hide it by compiling it into a Java image file.

Attackers often compromise target systems through unsecured RDP ports. They create custom JRE builds and execute Java objects using shell scripts to encrypt the system and leave a ransom note.

Tycoon scrambles target files with different AES keys and encrypts data with RSA-1024. Victims typically have 60 hours to pay the Bitcoin ransom. Windows and Linux are both vulnerable to Tycoon.

4. QNAPCrypt

QNAPCrypt infects network-attached storage (NAS) devices, often spread through SPAM emails or fake software activation tools and updates. Ransomware exploits poor authentication methods through SOCKS5 proxy connections. Once in the system, it obtains the RSA public key from the attacker's C2 server to begin encryption. It leaves ransom notes in text files with personalized messages.

Protection against Linux ransomware

Linux ransomware is a growing threat, especially for business users. Actions you should take to protect your business against ransomware attacks include:

- Data backup: Keeping secure data backups is important to minimize the potential damage of an attack.

- Install updates regularly: All servers and endpoints must be updated. Security patches and software fixes should always be installed as soon as they become available.

- Restrict access: As per policy, user account permissions must be kept to a minimum. People have access to only the files and applications needed to complete their work.

- Provide cybersecurity training to employees: To minimize human error, it is important that all employees receive basic cybersecurity training. Avast's cybersecurity quizzes will help you understand your employees' understanding and help identify weaknesses that can be improved through training.

- Establish a security strategy: Many attacks rely on human error to gain access to the network. This risk can be significantly reduced by implementing a security strategy that includes employee training, implementing security software, and implementing best practices for strong passwords, secure email, and endpoint security. .

- Conduct regular testing and vulnerability assessments: The system needs to be carefully monitored and evaluated periodically. Event logs must be reviewed as part of this process to identify suspicious activity.

- Have a response plan: In the same way an office has a fire safety plan, a ransomware strategy should be in place to ensure that employees know what to do in the event of an attack. The aim is to minimize damage and ensure a smooth recovery.

- Use online anonymous tools such as: SMSer.net (Receive sms online), Smailpro.com (Temp mail), Ugener.com (Fake name generator), Cardgener.com (Random credit card numbers generator) to protect Protect your real personal information. information.

Linux ransomware

Conclusion

Linux ransomware is extremely dangerous malware for organizations, businesses and individuals. It is important to raise awareness about malware and use preventative measures to improve security against harmful agents. Thanks you!

 

In case you have found a mistake in the text, please send a message to the author by selecting the mistake and pressing Ctrl-Enter.
receive sms online 2
Instantly anonymize your phone number with the free SMSer tool. Just 2 simple steps are to choose a phone number and receive messages to that phone number.
Comments (0)

    No comments yet

You must be logged in to comment.

Sign In / Sign Up