Linux and rise of Ransomware

Ransomware on the Linux Platform

Times are changing when it comes to Linux malware. Since a long time we had backdoors, PHP shells, and even rootkits. But it won’t take long that ransomware will catch up on the Linux platform. We hope you are reading this to counter the threat, not because it is already too late.

Ransomware invasion

Ransomware is a little devil. It encrypts your valuable data and protects it with a generated key. This key is then forwarded to the maker of the ransomware, and then it is safeguarded. The key is released upon payment, together with a decryption utility. And surprisingly, the bad guys will deliver each time. This way they know people will keep paying for ransomware intrusions.

The sudden spike in ransomware is most likely caused by different factors. In other words, each individual factor was an existing technology. Combined they make it a good recipe for evildoers. So is there the increase of data and companies consider that one of their biggest assets now. The spread of internet technology and lowering prices helped. And if you add Bitcoin into the mix, you have anonymous payments. This combination makes it ideal to infect people, encrypt their precious data, and finally ask for them to pay in Bitcoins.

Why Linux?

In every market where there is money to make, there will be more competition over time. Until there is a point that everyone has to drop prices, or go out of business (or both). The Microsoft Windows platform already had its fierce competition. Now macOS and Linux are next.

A proof of concept (PoC) is already available for Linux. It is called BashCrypt and comes with everything you need to set up a ransomware infrastructure. It includes the code you have to run on the intruded system and also the code for the server side, to receive status updates and payments.

Defending against ransomware

Staying clean of ransomware is hard, especially if there are many people working in your company. We all (should) know by know that you don’t open up strange attachments. But it still happens. User awareness is key and it is something we will have to keep doing.

If you have a Linux server which acts as a mail server for your environment, then it makes sense to test some ransomware samples and see if they are detected by the existing anti-virus solution. If not, that is a first place to improve. You might want to make the jump from free open source anti-virus like ClamAV, and add a second scanner on top of it.

In the event you became a victim of ransomware, you have two options: pay, or restore. Giving money to bad guys is actually a bad thing to do. It keeps financing them, resulting in an increase of ransomware. Better is to restore your data. So make sure you have good backups, and check them regularly. Why wait? Do check it now and see if you can restore some of your most important data.

Stay safe and till the next post.

Got any experience with ransomware on Linux? Share it in the comments.

Screenshot of Lynis security tool

Take the next step!

Want to learn more about Linux security? Have a look at the open source tool Lynis and become a Linux expert yourself.

Lynis is a battle-tested technical security audit tool. It is open source, freely available, and used by system administrators all over the world. Other users include IT auditors, security professionals, like pentesters.

Tool Information

Visit project page