In this article, we explore ransomware, specifically the unique way it attacks Linux-based systems.
"It was called a tribute before a battle, and a ransom afterwards".
This famous quote from English author T.H. White represents the delicate balance required to keep cyber attackers at bay. Your company pays tributes to security staff, an IT department, and anti-malware vendors as much as possible to keep your Linux servers secure.
Meanwhile, criminals identify your company as a mark to fulfill their goal of scoring large sums of money. Reconnaissance happens, bad things move laterally throughout your network, data exfiltration takes place, until you discover your Linux system overtaken by unexpected means. Your data is kidnapped and a ransom note says a payment is due.
The safety and security of your data is now in the hands of an unknown assailant demanding payment in elusive Bitcoin currency, or else your organization will suffer the financial and reputational consequences because this criminal will take your money and yet still decide to parade your data like a war trophy on a "Wall of Shame" or similar.
- Linux Is Not an Impenetrable Fortress
- Key Differences Between Old And New Ransomware
- Trial of Damage Left Behind By Attackers
- Prevention Tips
- Reporting Tips
- Use Live Patching to Protect Your Files
Linux Is Not an Impenetrable Fortress
While hardening and permission layers prevent users from performing actions that affect system-wide data, it’s important to know that ransomware attacks on Linux networks are through more subversive means. It’s not the same as an attack on a Windows-based system.
Instead, bad actors probe components of Linux systems, like web servers, for vulnerabilities. Their targeted approach involves developing customized code to exploit those vulnerabilities, finally attacking a component like a Linux kernel or shared library.
To learn more about Linux-specific ransomware, click here.
Key Differences Between Old And New Ransomware
Old ransomware uses a strong algorithm to encrypt data on a system maliciously, storing the decryption key on an attacker-controlled system. Attackers then request a ransom to return access to the data.
Current ransomware versions (“2.0”) exfiltrate data from internal systems and extort money for data access, pressuring the victim to pay to keep attackers from publishing it all online. Expect current versions to circumvent traditional anti-malware protection of Linux servers by exploiting vulnerabilities on the kernel, shared libraries or even userland applications.
RansomEXX was a threat to Windows, but jumped to Linux. Victims include Konica Minolta and the Texas Department of Transportation. Another concern is the development of highly targeted ransomware tailor-made for use against specific companies. Researchers are looking into how these situations expose hidden vulnerabilities in open-source software.
Most companies and government organisations infected by new ransomware are running up-to-date anti-virus programs, attesting to the fact that even the latest version of endpoint protection isn't enough to prevent new threats.
Trail of damage left behind by attackers
Linux ransomware damages a company financially, intellectually, and physically, tarnishing its reputation and image. Encrypted files aren't available for employees and customers, cutting productivity and revenue streams, and a ransom was paid. Files containing intellectual property might be disclosed publicly, introducing the risk of non-compliance with regulations like GDPR and HIPAA.
Not just encrypted files, but a threat to human lives
Hospitals are often targeted first because they are one industry known for deep pockets and poor security protocols. A study revealed that after a breach, the incidence of deaths from heart attacks increases. One attack prevented a German hospital from admitting a patient in need of urgent care, causing her to die.
Here are some tips to protect your Linux servers from attack:
- First, ensure security updates install automatically.
- Configure gateway devices to replace default or weak credentials with strong ones.
- Make security awareness part of everyday life because the weakest link in any cyber-defense scheme is a human being.
- Backup your data, and version your back ups, so the previous version is available for recovery.
- In case you do get infected, immediately stop scheduled backups to prevent bad data from overwriting good restore points.
The FBI advises against paying the ransom. Instead, report it as follows:
- Contact your local FBI field office or equivalent law enforcement agency.
- Submit a tip online.
- Report it to the Internet Crime Complaint Center (IC3).
Use live patching to protect your files!
KernelCare live patching reduces the time a system is unpatched, narrowing attack windows and lowering the rate of infection by ransomware, with no downtime. It's a small tribute to pay in your battle to avoid the ransom. For more information, contact us today!