Linux Ransomware Protection

Why is Linux a Target of Ransomware

Linux is the most popular operating system. This includes both individual users and organizations that run servers. Linux powers the Internet, with 74.2 percent of all web servers using it. This is the main reason why criminals are interested in ransomware targeting Linux users.

There are many ways to make a lot of people miserable by exploiting loopholes in one the most important operating systems in the entire world. It also provides valuable business information.

When it comes to operating system flaws and gaps, the problem is often not the system but how it is used and managed. According to a Verizon report, the main vectors for ransomware include brute force attacks and stolen credentials. Malicious emails such as Phishing are also common. Other vectors include misconfigurations, patch management, and untrained SysAdmins.

Ransomware Attacks On Linux Systems

img alt=”The most well-known Linux ransomware attacks.” data-ll-status=”loaded” src=””/>

1. RansomEXX

RansomEXX, also known as Defrat777, is one of the most recent ransomware attacks on Linux. This ransomware targeted several high-end targets in 2020 & 2021.

  • Brazilian government network.
  • Texas Department of Transportation (TxDOT).
  • Konica Minolta.
  • IPG Photonics.
  • Tyler Technologies.

RansomEXXX is a C64-bit ELF binary that was compiled using the GNU Compiler Collection. Ransomware can only be operated by humans. Threat actors will need to have time to compromise networks, steal credentials, and spread the ransomware across devices.

The ransomware generates an AES-block cipher-enabled 256-bit key when activated. A public RSA-4096 encrypts AES keys, but the attack also contains a thread that re-encrypts AES keys every second.

RansomEXX has a unique feature that is not found in most Trojans:

  • C&C communication (C2).
  • Stopping running processes
  • Anti-analysis traps and tricks

RansomEXXX is highly targeted. Each malware sample contains a hardcoded name for the victim’s company. The victim’s name is used for both the encrypted file extension as well as the email address to contact attackers.

2. Tycoon

The tycoon has been the most popular Linux ransomware in recent years. This ransomware was first discovered in 2019 by hackers who went after:

  • Higher education institutions
  • Software companies.
  • Businesses of all sizes.

Tycoon’s payload is a ZIP archive containing a malicious Java Runtime Environment component. To hide the danger, hackers compile ransomware into a Java image file.

Tycoon hackers typically hack into systems via an unsecured remote desktop protocol (RDP). Once inside, the hackers compile code into Java images and create a custom JRE. After executing the Java object, the attackers execute a shell script to encrypt the system and leave a config file with ransom notes.

Each file is encrypted with a unique AES key by Tycoon before being further encoded with an RSA-1024 layer. The victim is usually given a 60-hour window in which to pay Bitcoins for the decryption keys. Tycoon attacks can be used on both Linux and Windows OSs.

3. Erebus

After infecting a South Korean web hosting company, Erebus was made famous. The breach affected more than 3.400 websites and 153 Linux servers. To restore its digital infrastructure, the company paid $1 million in Bitcoins. This was the largest ransomware payout of the time.

Erebus, originally Windows-based, exploited a weakness in the User Account Management feature. Later, hackers repurposed Erebus and created ransomware to target Linux servers. Erebus scans more than 400 file types to find encryption keys once it is inside a server network.

  • Databases.
  • Archives
  • Documents.
  • Multimedia items

Erebus uses a combination of RSA-2048 and AES cryptosystems to encrypt. Multilingual ransomware notes are a sign of intent to target a wide range of targets.

4. QNAPCrypt

QNAPCrypt was first discovered in July 2019. This ransomware targets network-attached storage (NAS), Linux devices. QNAPCrypt is typically spread via:

  • SPAM email campaigns that contain infectious files (typically Office documents, archives (ZIP and RAR), executables (PDFs, JavaScript files), and Office docs)
  • Software activation tools that are not official.
  • Fake software updates

QNAPCrypt is based on poor authentication practices when connecting through a SOCKS5 proxy. Once hackers have gained access to a system, they execute the payload. The ransomware then reaches the hacker’s C2 server to request an RSA public secret and begins file encryption.

A ransom note is a text message with a personal message demanding payment in Bitcoin. Each attack requires a different Bitcoin wallet.

5. KillDisk

KillDisk, like Erebus, was originally a Windows-only threat before it was extended to Linux environments in January 2017.

KillDisk Linux overwrites GRUB’s bootloader to stop the target system from starting. After the program launches, a ransom note appears on the screen and asks for Bitcoin payment.

KillDisk does not save cryptographic keys locally and submits them via a C2 Server. This suggests that KillDisk was not originally an extortion tool but a cyber weapon. Security experts think that paying the ransom will prove futile because data recovery is unlikely to be possible due to the nature of the program.

The No More Ransom Project

Do you know what to do if your Linux system is infected by ransomware?

First, it is not recommended to pay the ransom as the FBI, other agencies, and companies recommend. It is best to get expert advice on the matter.

Have you heard of the No More Ransom Project?

NMR is a joint project of the top security organizations and companies around the globe to combat ransomware attacks. In 2016, the project was launched.

NMR provides decryption tools to victims of attacks. The project is estimated to have helped over 200,000 ransomware victims recover their data. And the best part? It’s completely free.