It’s Happening: Linux Ransomware Attacks on the Rise

by | Oct 25, 2017

It was only a matter of time. Over the last year, as ransomware has continued to wreak havoc on businesses across the globe, many have wondered about the security of their Linux-based systems. Now, new findings have confirmed the inevitable: more strains of Linux ransomware are out in the wild, and infections are on the rise.

Today, we take a closer look at the Linux threat and how to stay protected.

How far will ransomware go?

If you’re new to ransomware, a quick explainer is necessary before we dig into the latest Linux variants.

Ransomware is a form of malware that encrypts files on your computer systems and demands money in exchange for the decryption keys to get your data back.

In a business environment, ransomware can be destructive. An infection can quickly lock you out of business-critical files and applications—not just on the initially infected computer, but across your entire network.

For many businesses, ransomware cripples operations and causes costly downtime to the tune of more than $8,000 per hour, according to some estimates. And even if you pay the ransom, there’s no guarantee you’ll get the data back.

A whole lot of destruction in a short amount of time

In 2017, WannaCry and GoldenEye (aka NotPetya) made headlines for causing nightmares at organizations around the world. These strains were slightly unique from other ransomware variants in that they exploited vulnerabilities in unpatched versions of Microsoft Windows.

The exploit enabled the malware to spread outward, infecting other vulnerable machines across the network without users taking any action. In traditional attacks, the ransomware typically requires an unsuspecting user to open a malicious email attachment or visit a website embedded with malicious code—usually via a link in email spam or a phishing email.

But even without that outward-spreading capability, ransomware can be very destructive when a single user has access to all files and folders on a network. Imagine, for example, a hospital worker who can access all patient records and the files that run critical applications. All it takes is one wrong click for the entire facility to be locked out of that data.

Why Linux ransomware is on the rise

So, why Linux? Why now?

In truth, nobody’s very surprised that ransomware is expanding to Linux. One of the biggest reasons why Linux ransomware has been virtually nonexistent so far is simply that hackers haven’t bothered developing it.

Yes, more businesses than ever are running on Linux. But its market share is a drop in the bucket compared to the number of machines running Windows. For hackers, it has been more profitable and efficient to focus their time, money and resources on developing Windows ransomware.

There’s no shortage of online debate about whether Linux is inherently more secure against ransomware attacks. That’s a question for another day. If you’re in IT, then you know that no software or OS is 100-percent bulletproof. By targeting Linux, cybercriminals are testing the waters to see what kind of revenue streams can be created. And if recent attacks are any indication, then this ransomware could be quite lucrative for hackers.

Beware of Erebus

Last June, only a month after the WannaCry outbreak, a Linux-based ransomware attack resulted in an outrageous sum paid to hackers. Yet the attack mostly flew under the radar of major news organizations.

NAYANA, a South Korean web host, was hit with ransomware that encrypted data on 153 Linux servers, disrupting 3,400 customer websites. Most ransomware demands average under $2,000, but these attackers wanted a lot more: roughly $4.4 million in Bitcoin.

The company ultimately only paid about $1 million, still a staggering figure.

The ransomware used in the attack is known as Erebus—a strain that had previously targeted Windows systems but had been recently modified for Linux. The successful infection on NAYANA’s servers was likely the result of unpatched software. In a blog post, security firm Trend Micro wrote:

“We can only infer that Erebus may have possibly leveraged vulnerabilities or a local Linux exploit. For instance, based on open-source intelligence, NAYANA’s website runs on Linux kernel, which was compiled back in 2008. Security flaws like DIRTY COW that can provide attackers root access to vulnerable Linux systems are just some of the threats it may have been exposed to. Additionally, NAYANA’s website uses Apache version 1.3.36 and PHP version 5.1.4, both of which were released back in 2006.”

Still, regardless of how the infection occurred, the incident was a clear sign that ransomware developers are putting a new focus on Linux-based systems. And since the attack resulted in such a huge ransom payout, you can bet this is only the beginning of a new surge of Linux ransomware attacks to come.

How it works

Let’s take a deeper dive into Erebus to explain how it has evolved to compromise Linux systems.

Researchers at SonicWall recently broke down how the malware works after discovering an update to the Erebus ransomware family. In the post, the team explains how Erebus initially infected computers via malvertisements—malicious ads that redirect users to pages that would install ransomware on a user’s computer. Later, Erebus was updated to compromise a Windows feature known as UAC, which is supposed to prevent unauthorized changes. In its latest form, Erebus ransomware can infect Linux servers as well, rapidly encrypting data and thus making it inaccessible.

Here’s a closer look at how the Linux ransomware goes to work:

1) Before encryption begins, the malware makes initializations to create a log file. After the file is created, the Erebus “collects information about the processes using g_init_arg function and stores this information in the log file using log_write function.”

  • It also collects information using the g_init function and stores it in GINFO with the following info:work_path, self_path, self_hash, os, os_version, os_arch, nic, locale, timezone
  • It also stores the following information in the GCONF: id, seed_sys, seed_hash, password, key_app_rsa_pub, key_rsa_size, cc_server_size, cc_timeout, cc_timeout_conn, url_list_size, url_dn_list_size

The ransomware then sends the information collected in GCONF to its botnet command-and-control servers.

2) Now, the encryption can begin. Erebus uses algorithms to randomly generate keys on the local machine, then encrypts the key using a RSA-2048 algorithm with its public key (which thus makes decryption impossible without the RSA-2048 private key).

The file encrypted by EREBUS ransomware contains the following information:

  1. Header
  2. Encrypted original file name
  3. Encrypted AES key
  4. Encrypted RC4 key
  5. RC4 encrypted file data

It then renames the encrypted file with .ecrypt extension and after encrypting the files in the folder, it drops the instruction files with the following names:

  1. html
  2. txt
  3. index .html

3) Finally, it asks for payment. After encrypting files, Erebus deletes itself from the infected server.  The _DECRYPT_FILE then provides instructions for installing the TOR browser and lists several URLs for submitting payment to decrypt the files.

Take a deep breath. Then restore a backup.

The single best solution for removing ransomware from an infected Linux server (or any system, for that matter) is restoring a backup. Simply choose a recovery point from before the infection, and voila – your files are back, and the ransomware is gone.

However, depending on your backup system, you could run into problems:

  • Your backup could be encrypted too
  • Full recovery could take hours or days
  • Recovery could fail, due to corrupted files
  • Your last recovery point could be too old

In other words, simply having a backup isn’t enough. How you back up your data matters.

Better protection against ransomware and other disasters

BDR solutions from Datto are designed to circumvent the common problems listed above by employing a smarter backup process and built-in ransomware detection for systems running on Linux, Windows or Mac.

Here’s what makes this protection rock-solid:

  • Ransomware detection: The Datto SIRIS actively monitors your backups. If a ransomware footprint is detected, it alerts the administrator to restore a clean backup, thus removing the threat, eliminating the need to pay a ransom, and preventing costly downtime.
  • Hybrid cloud: By storing backups both locally and in the cloud, you maintain quick access to your data, while keeping your data safe from disruptions that occur on-site.
  • Instant virtualization: With Datto, your backups are image-based, fully bootable virtual machines. So if your server fails, you can virtualize your protected systems on the Datto device or from anywhere via the Datto Cloud.
  • Faster, more resilient backups: Datto’s Inverse Chain Technology lets you schedule backups as frequently as every five minutes. This process also eliminates the most commonly occurring problems in the backup chain, ensuring your files are not compromised.
  • Screenshot verification: Datto automatically verifies your backups are bootable, so you never have to worry about getting a 3 a.m. wakeup call.

Remember: regardless of OS, most ransomware infections begin with a malicious email attachment being opened or a bad link being clicked. One of the best ways to prevent such infections from occurring in the first place is adopting a training program that instructs employees how to spot bad emails and practice safe Internet browsing.

Get More Information

For more information on how your company can stay protected from ransomware on Linux or other operating systems, contact our business continuity experts at Invenio IT. Call us at (646) 395-1170, email or request a free Datto demo today.

YOU MIGHT ALSO LIKE:  10 Alarming Figures on the Business Impact of COVID-19
New call-to-action

Tracy Rock is the Director of Marketing at Invenio IT. Tracy is responsible for all media-related initiatives as well as external communications—including, branding, public relations, promotions, advertising and social media. She is one busy lady and we are lucky to have her!