Linux Ransomware: Attack Anatomy, Examples, and Protection

Why Is Linux Ransomware a Concern? 

While Linux ransomware only represents a small share of cyberattacks, there are several reasons to be concerned. As a Linux user, you must not overlook ransomware even if it is not yet common on Linux-based systems. While Windows is the favorite for desktops, Linux dominates the market for supercomputers and servers. The Linux computing market is projected to grow to $22 billion by 2029. 

Linux is an attractive target for attackers because it is commonly used for software development infrastructure. 2022 saw an increase of 75% in ransomware attacks that targeted Linux-based systems compared to the same period in 2021. Another concern is the rise in ransomware that can move between different platforms, such as Linux, Android, and iOS.  

However, the main reason to take ransomware seriously when using Linux is that future attacks will likely increasingly focus on Linux systems. Thus, the proportion of ransomware attacks targeting Linux will grow, making it more crucial to protect your business. 

Learn more in our detailed guide to ransomware on Linux (coming soon)

Anatomy of a Linux Ransomware Attack

Linux ransomware involves diverse and sophisticated techniques to compromise Linux systems and extort money. A ransomware attack usually includes the following steps. 

1. Initial Infection

While Windows ransomware usually infects the target via email, Linux ransomware exploits system vulnerabilities or service flaws that allow the attacker to compromise Linux system files. Some ransomware varieties use vulnerability scanners to identify potential targets. 

Once inside the Linux environment, an operator downloads a hidden ransomware executable, which the attacker copies to a local folder before terminating and removing the script. The ransomware is now active in the environment.

Many Linux ransomware variations can escalate privileges, enabling the operator to access restricted system resources. The initial infection only impacts the compromised web server, while privilege escalation enlarges the attack’s scope and impact.

2. Staging the Attack

This step prepares the Linux ransomware to operate smoothly, performing tasks like moving the malware to new folders to establish persistence. The ransomware acquires permission to run in recovery mode and at boot or to disable recovery mode. The ransomware operator communicates with the C2 server to generate the public key to enable encryption. 

3. System Scanning

The ransomware scans the compromised system for cloud file storage repositories and file extensions of interest and maps their locations. 

4. Encryption

The main damage occurs in this step (previous steps are reversible). The ransomware uses a random symmetric key (generated using the public key) to encrypt target files. Usually, the operator creates encrypted versions and deletes the original files. Ransomware can stay dormant in the Linux environment before implementing encryption. 

5. Extortion

The ransomware displays a ransom note with payment instructions before terminating and deleting itself. The attackers wait for the victim to pay the ransom to an untraceable account in exchange for decrypting the locked files. Ransomware recovery firms can provide advice and (sometimes) find a decryption key to recover the files.

Examples of Ransomware Attacks on Linux Systems 

RansomEXX

RansomEXX is a common Linux ransomware attack that has targeted high-profile companies, including the Brazilian government and the Texas Department of Transportation. It is a 64-bit, C-based ELF binary compiled with GCC. As a human-operated ransomware, it requires time to infect networks, steal credentials, and move laterally. 

Once activated, RansomEXX uses a 256-bit key to encrypt files. Each malware sample includes the target organization’s hardcoded name. The email address that contacts the attacker and the encrypted file extension have the target’s name.

Tycoon

Tycoon first appeared in 2019 when attackers targeted software companies, SMBs, and higher education institutions. The ransomware payload is a ZIP archive with a booby trap – a malicious JRE component. Hackers hide it by compiling it in a Java image file. 

Attackers usually breach target systems via unsecured RDP ports. They create custom JRE builds and execute the Java objects with shell scripts to encrypt the system and leave a ransom note.

Tycoon scrambles the target files with different AES keys and encodes data with RSA-1024. Victims usually have 60 hours to pay the Bitcoin ransom. Windows and Linux are both vulnerable to Tycoon.

Erebus

Erebus originally affected Windows, but hackers have since created ransomware targeting Linux servers. It scans the server network for over 400 types of files, including databases, archives, and documents. Erebus combines RSA-2048, RC4, and AES cryptosystems to encrypt files and provides multilingual ransom notes. 

QNAPCrypt

QNAPCrypt infects network-attached storage (NAS) devices, usually spreading via SPAM emails or fake software activation tools and updates. The ransomware exploits poor authentication practices via SOCKS5 proxy connections. Once inside the system, it obtains an RSA public key from the attacker’s C2 server to begin encryption. It leaves text-file ransom notes with personalized messages. 

How Can Businesses Protect Themselves from Linux Ransomware Attacks?

Minimize the Risk of the Human Element 

Phishing isn’t the most common attack vector for Linux ransomware, but it’s essential that all members of your business team receive comprehensive cybersecurity training to minimize the threat. Make sure your staff knows how to identify suspicious messages, avoid clicking unknown links, and that browsers and critical systems are regularly updated and patched.

Plan Your Response in Advance

To maximize your business’s chances of surviving a ransomware attack, it’s important to plan ahead. There are several steps you can take to prevent and recover from an attack:

• Set up access control and configure it according to the least privilege principle.
• Practice network segmentation to avoid ransomware from spreading throughout the network.
• Install antimalware and antivirus software on all endpoints.
• Ensure all critical data is backed up, and that backups are safely isolated from production systems so they don’t get infected by ransomware too.

EDR

Endpoint detection and response (EDR) solutions work by collecting security events and indicators of compromise (IOCs) from endpoint devices. These IOCs aren’t enough to identify an attack, but they can tell security personnel where to go to detect an attack in progress. EDR tools also help detect tunneling, where attackers surreptitiously collect data and try to transfer it outside the network.

When a solution detects an attack, it can take immediate action. EDR tools isolate endpoints so incident response teams can deal with issues without compromised systems affecting the rest of the network.

All-in-One Ransomware Protection with Cynet

Cynet is an Advanced Threat Detection and Response platform that provides protection against threats, including ransomware, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.

Cynet provides a multi-layered approach to stop ransomware from executing and encrypting your data:

• Pre-download—applies multiple mechanisms against exploits and fileless malware, which typically serves as a delivery method for the ransomware payload, preventing it from getting to the endpoint in the first place.
• Pre-execution prevention—applies machine-learning-based static analysis to identify ransomware patterns in binary files before they are executed.
• In runtime—employs behavioral analysis to identify ransomware-like behavior, and kill a process if it exhibits such behavior.
• Threat intelligence—uses a live feed comprising over 30 threat intelligence feeds to identify known ransomware.
• Fuzzy detection—employs a fuzzy hashing detection mechanism to detect automated variants of known ransomware.
• Sandbox—runs any loaded file in a sandbox and blocks execution upon identification of ransomware-like behavior.
• Decoy files—plants decoy data files on the hosts and applies a mechanism to ensure these are the first to be encrypted in a case of ransomware. Once Cynet detects that these files are going through encryption it kills the ransomware process.
• Propagation blocking—identifies the networking activity signature generated by hosts when ransomware is auto-propagating and isolates the hosts from the network.

Learn more about how Cynet can protect your organization against ransomware and other advanced threats.