Linux and rise of Ransomware

Ransomware on the Linux Platform

Times are changing when it comes to Linux malware. Since a long time we had backdoors, PHP shells, and even rootkits. But it won’t take long that ransomware will catch up on the Linux platform. We hope you are reading this to counter the threat, not because it is already too late.

Ransomware invasion

Ransomware is a little devil. It encrypts your valuable data and protects it with a generated key. This key is then forwarded to the maker of the ransomware, and then it is safeguarded. The key is released upon payment, together with a decryption utility. And surprisingly, the bad guys will deliver each time. This way they know people will keep paying for ransomware intrusions.

The sudden spike in ransomware is most likely caused by different factors. In other words, each individual factor was an existing technology. Combined they make it a good recipe for evildoers. So is there the increase of data and companies consider that one of their biggest assets now. The spread of internet technology and lowering prices helped. And if you add Bitcoin into the mix, you have anonymous payments. This combination makes it ideal to infect people, encrypt their precious data, and finally ask for them to pay in Bitcoins.

Why Linux?

In every market where there is money to make, there will be more competition over time. Until there is a point that everyone has to drop prices, or go out of business (or both). The Microsoft Windows platform already had its fierce competition. Now macOS and Linux are next.

A proof of concept (PoC) is already available for Linux. It is called BashCrypt and comes with everything you need to set up a ransomware infrastructure. It includes the code you have to run on the intruded system and also the code for the server side, to receive status updates and payments.

Screenshot of Linux ransomware BashCrypt

BashCrypt asking a victim to pay (proof of concept)

Defending against ransomware

Staying clean of ransomware is hard, especially if there are many people working in your company. We all (should) know by know that you don’t open up strange attachments. But it still happens. User awareness is key and it is something we will have to keep doing.

If you have a Linux server which acts as a mail server for your environment, then it makes sense to test some ransomware samples and see if they are detected by the existing anti-virus solution. If not, that is a first place to improve. You might want to make the jump from free open source anti-virus like ClamAV, and add a second scanner on top of it.

In the event you became a victim of ransomware, you have two options: pay, or restore. Giving money to bad guys is actually a bad thing to do. It keeps financing them, resulting in an increase of ransomware. Better is to restore your data. So make sure you have good backups, and check them regularly. Why wait? Do check it now and see if you can restore some of your most important data.

Stay safe and till the next post.

Got any experience with ransomware on Linux? Share it in the comments.

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package

Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.



  • NoneyabusinessNoneyabusiness

    The people creating these “proof of concept” programs are almost as bad as the criminals themselves. They create malicious, destructive software and then release it. Yeah that’s smart, they just sound like they are desperate for attention “oh look at what I created, I’m so smart” idiots.

    • You might be right, part may be attention gathering. However, sometimes people have this kind of assignments from their college/university, or they are legitimate researchers. They share to show people the threat is real and more than a theory.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.