Data Protection Tool

How to Guard Against the Growing Threat of Linux Ransomware

Picture of Tracy Rock

Tracy Rock

Director of Marketing @ Invenio IT


Linux ransomware

Business owners have been put on red alert for ransomware and implemented new strategies and tools to protect themselves. Unfortunately, the common misconception that only Windows systems are vulnerable may put some users at unnecessary risk. While a 2021 report found that more than 90% of ransomware attacks target Windows, the rise of Linux ransomware is cause for legitimate concern.

If any aspect of your business relies on Linux, it’s important to recognize that ransomware is a very real threat that continues to grow. Read on to learn how ransomware has evolved in Linux systems and how to improve your business’s prevention and recovery practices.

What Is Ransomware?

Before we dig into the details of Linux ransomware, let’s do a quick refresher on the basic concept. Ransomware is a form of malware that encrypts files on your computer systems, preventing you from accessing them and, in the worst circumstances, paralyzing your business’s operations.

Ransomware is unique from other types of malware in that cyber attackers do not simply steal, encrypt, or destroy data. They also demand payment in exchange for the restoration of your files. With an average remediation cost of $1.4 million, these attacks can be devastating for businesses.

Organizations that fall victim to ransomware attacks can also suffer from serious data loss because, even when they pay the ransom, there is no guarantee of full restoration.

Why Is Linux Ransomware a Concern?

Considering that Linux ransomware represents a relatively small share of attacks, it’s reasonable to question why businesses should bother to be concerned. There are a few key data points that demonstrate why Linux users should take the threat of ransomware seriously:

  • Although Windows dominates the desktop market, Linux is the overwhelming favorite when it comes to servers and supercomputers.
  • Experts valued the global Linux market size at $5.33 billion in 2021 and project that it will grow to $22.15 billion by 2029.
  • In 2021, 47% of software development occurred on Linux-based systems.
  • There was a shocking 75% increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the first half of 2021.
  • There has been a rise in cross-platform ransomware that can jump between Linux, iOS, and Android systems.

There have been ransomware attacks on Linux-based systems for several years. However, as the market grows and cybercriminals sharpen their focus on new targets, it will become even more important for businesses to protect themselves, particularly as high-profile targets are becoming the norm. In August 2022, for example, the government of Chile revealed that they had experienced a ransomware attack targeting both their Windows and Linux-based systems.

How Is Linux Ransomware Different from Windows Ransomware?

The fundamental features of Linux ransomware and Windows ransomware are the same. However, because they are often used for different purposes, there is some variation in how the attacks play out.


According to a study by Verizon, 82% of data breaches involved human elements, including errors and misuse. This has long been an issue for Windows systems, where phishing emails and stolen credentials give cyber attackers easy access to data.

Because Linux is less popular as a desktop operating system and many Linux users are technology professionals, ransomware gangs have to look for different points of attack. Rather than relying on emails, they often search for vulnerabilities, such as out-of-date patches, and use them to gain entrance to Linux systems.

Double Extortion

Ransomware attacks on Linux-based systems are often more complex, which means that the criminals behind them might look for bigger payouts. While double extortion schemes exist in the world of Windows, they are especially common in Linux ransomware attacks.

In these scenarios, criminals will threaten not only to keep the data encrypted but also to leak it online. This places additional pressure on businesses that could be permanently damaged by the release of sensitive client, customer, employee, or company data.

How Does Linux Ransomware Work?

Linux ransomware works in much the same way as ransomware attacks on other systems, including Windows. Once a cybercriminal identifies a target, they find ways to exploit their vulnerabilities and infect their systems.

Attack Steps

There is no one-size-fits-all description of the ransomware process, but the essential stages are generally the same. During an attack, ransomware typically:

  • Infects: Using a vulnerability (like an unpatched system), the ransomware downloads, copies, and launches a malicious executable to a local directory.
  • Stages: The ransomware moves itself to a new folder and establishes persistence, which allows it to enable capabilities like the ability to run at boot or in recovery mode.
  • Scans: Once it has established persistence, the ransomware scans systems to locate and map a set of file extensions and file storage repositories.
  • Encrypts: After identifying target files, the ransomware encrypts them, deletes the originals, and generates ransom notes.
  • Extorts: When the files have been encrypted, the ransomware terminates and deletes itself, the victim discovers the ransom notes, and the operator waits to receive the ransom payment.

When the ransomware encrypts files and makes the ransom demand, the victim is left with no choice but to pay the ransom (which, for the record, is almost never advisable) or restore data from a backup.

Examples of Linux Ransomware

To get a better picture of how Linux ransomware operates, let’s explore three types that have emerged as significant threats since 2020. These ransomware strains are indicative of how a cybercriminal goes about infecting and encrypting a victim’s Linux system.


LockBit is one of the most prominent families of Windows ransomware. In October 2021, experts began detecting cases of LockBit Linux-ESXi Locker Version 1.0 on Linux systems. LockBit uses a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption. It has the capability to log:

  • Processor information
  • Volumes in the system
  • Virtual machines for skipping
  • Encrypted files and total files
  • Encrypted virtual machines and total virtual machines
  • Total encrypted size

The LockBit variant contains the commands necessary to take several harmful steps, including suspending virtual machines, checking the status of data storage, and disabling autostart. Once the ransomware infection is installed, LockBit demands a ransom and threatens to release data if their demands are not met.


In 2022, cybersecurity experts detected a new ransomware variant known as Cheerscrypt, a derivative of the Babuk malware family that targets ESXi servers. Many enterprises use ESXi, making it a logical target for cyberattacks. Unfortunately, the widespread use of ESXi means that successful attacks could cripple the operations of important services and infrastructure.

Once it has been executed, Cheerscrypt terminates virtual machine processes with specific extensions:

  • .log
  • .vmdk
  • .vmem
  • .vswp
  • .vmsn

This enables it to encrypt files with a .Cheers extension. As with many other Linux ransomware attacks, Cheerscrypt is a double extortion scheme that demands payment for data restoration and to prevent leaks. For each directory that is encrypted, a ransom note will appear.


Another form of ransomware that targets ESXi servers is AvosLocker. Although it previously only targeted Windows, in 2022, AvosLocker became capable of encrypting Linux systems as well. Once it is launched, AvosLocker terminates ESXi machines and adds the extension .avoslinux to encrypted files.

Ransom notes generated by AvosLocker warn victims against shutting down their computers and provide a link to receive more information about paying the demanded ransom. According to Bleeping Computer, AvosLocker has issued a $1 million ransom demand to at least one victim.

What Are the Most Common Types of Linux Ransomware?

New strains and variants of ransomware are constantly under development, which can make it a challenge for security experts to track and prevent them. Monitoring has revealed several kinds of ransomware that have infected Linux systems in the past several years.

There are some types of ransomware created specifically to target Linux systems. Others have been developed that can jump between Windows and Linux systems. Some of the most common types of Linux ransomware include:

  • RansomEXX, also known as Defrat777, has attacked targets including the Texas Department of Transportation, Tyler Technologies, and the Brazilian government.
  • Hive’s sophisticated Linux ransomware targets ESXi platforms.
  • REvil, which operates as ransomware-as-a-service (RaaS) and has attacked organizations like National Western Life and Erecat, began targeting Linux systems in 2021.
  • Mespinoza, also known as PYSA, developed a Linux variant in 2020.
  • DarkSide is one of the most threatening types of ransomware and targets both Windows and Linux systems in business, government, and finance organizations around the world.
  • HelloKitty expanded into Linux ransomware and began attacking VMware ESXi servers and virtual machines in 2021.
  • Tycoon ransomware has targeted higher education institutions, software companies, and other businesses.
  • Erebus is infamous for its 2017 attack against a web hosting company in South Korea and the $1 million Bitcoin payout that the business agreed to pay.
  • QNAPCrypt emerged in 2019 and targets network-attached storage Linux devices.
  • KillDisk has had the capability to target Linux since 2017 and makes it impossible for the target system to boot.
  • SFile or Escal ransomware first emerged in February 2020 as a threat to Windows systems, but it has since been ported to encrypt files on Linux systems.

Although Windows remains the primary focus of many cybercriminals, the trend of expanding into attacks against Linux systems will likely continue and even intensify in the future.

What Other Kinds of Malware Infect Linux Systems?

Ransomware is among the biggest risks to businesses and receives significant attention because of the financial havoc that it wreaks. However, it’s not the only kind of malware that threatens Linux-based systems and devices.

Internet of Things Devices

In addition to servers and cloud services, Linux is also the force that powers many Internet of Things (IoT) devices. The term IoT refers to millions of devices that are connected to the internet, including security systems, motion detectors, refrigerators, and cars.

The ubiquitous nature of IoT devices has made them a primary target for Linux malware. Infecting these devices can give cybercriminals the opportunity to access networks, crash systems, and use them for distributed denial of service (DDoS) attacks. There was a 77% increase in IoT malware from 2021 to the first half of 2022.


Cryptojacking occurs when bad actors take over devices in order to illegally mine for cryptocurrency. The criminals attempt to act in secret, without the device owner realizing that the attack has occurred, which distinguishes this type of crime from others like ransomware. Successful cryptojacking attempts can be extremely profitable.

In the first half of 2022, there were 66.7 million cryptojacking attacks, a 30% increase over the prior year. Much like ransomware, cryptojacking software has become a significant risk to Linux-based systems.

Linux Malware Families

According to a report from CrowdStrike, three malware families were particularly prominent in 2021: XorDDoS, Mozi, and Mirai. XorDDoS is a Linux trojan that uses SSH brute-forcing attacks to gain control over devices. The number of XorDDoS samples increased by 123% from 2020 to 2021.

Similarly, Mozi, a peer-to-peer botnet network, was 10 times more common in 2021 compared to 2020. It also uses brute-force attacks on SSH ports and prevents their malicious software from being overwritten.

The last major Linux malware player of 2021 was Mirai, which takes advantage of vulnerable protocols and passwords to attack devices. There have been multiple variants of Mirai, including Sora, IZIH9, and Rekai. According to CrowdStrike, the prevalence of Mirai variants increased by up to 83% from 2020 to 2021.

How Can Businesses Protect Themselves from Linux Ransomware Attacks?

There has been a decades-long debate about whether Linux is inherently more secure than Windows. In the case of ransomware, it’s clear that there is no absolute guarantee of security, which means that it is in every organization’s best interests to take the necessary steps to secure and back up essential data.

Minimize the Risk of the Human Element

Although phishing is not the most common attack vector for Linux ransomware, it’s nevertheless essential that every member of your business team receives comprehensive training on how to approach cybersecurity. Ensure that employees know how to watch for malicious links, enforce strict password requirements, and ensure that the members of your IT team are regularly updating and installing patches.

Use Effective BDR Solutions

Perhaps the most important step you can take to protect your business from the threat of ransomware is implementing high-quality BDR solutions. These tools are designed to circumvent problems by employing a smarter backup process and built-in ransomware detection for systems running on Linux, Windows, or Mac.

To ensure that you have rock-solid protection, check to see if it includes:

  • Ransomware detection: Look for a solution that actively monitors your backups. If a ransomware footprint is detected, it alerts the administrator to restore a clean backup, thus removing the threat, eliminating the need to pay a ransom, and preventing costly downtime.
  • Hybrid cloud: By storing backups both locally and in the cloud, you maintain quick access to your data and keep it safe from disruptions that occur on-site.
  • Instant virtualization: Backups that are image-based, fully bootable virtual machines offer greater protection if your server fails. You can virtualize your protected systems on a backup device or from anywhere via the cloud.
  • Faster, more resilient backups: Some ransomware programs scan file dates and select the most recent ones, in part because it’s less likely that the information has been backed up. Solutions with features like Inverse Chain Technology let you schedule backups as frequently as every five minutes. This process also eliminates the most commonly occurring problems in the backup chain, ensuring your files are not compromised.
  • Screenshot verification: Screenshots verify that your backups are bootable, so you never have to worry about getting a 3 a.m. wake-up call.

Because ransomware evolves so rapidly, it’s impossible to guarantee that your business will never be susceptible to an attack. However, if you implement BDR solutions with these critical features, you can help mitigate the effects of the attack as much as possible.

Plan Your Response in Advance

In order to maximize the chance that your business will survive a ransomware attack, it’s vital that you plan ahead. There are many steps you can take to prevent and recover from an attack, such as:

  • Filtering spam
  • Limiting access and privileges
  • Regularly patching devices
  • Establishing firewalls
  • Installing anti-malware and anti-virus software
  • Recovering data from a backup (rather than paying a ransom)

When you have a strong recovery plan in place, you can react more logically and strategically if an attack occurs.

How Can Businesses Learn More About Linux Ransomware?

To learn more about Linux ransomware and solutions for prevention and recovery, you can contact the business continuity experts at Invenio IT. Whether you want to explore implementing a new disaster recovery solution or find out about options that back up Windows and Linux systems on a single device, the team at Invenio IT is ready to help. Reach out to schedule a consultation or demo today.

Get the Ultimate Guide to Data Loss Prevention & Recovery for SMBs
Invenio it logo

Join 23,000+ readers in the Data Protection Forum

Related Articles