Ransomware has plagued Windows users for years, but now the cybercriminal crosshairs are aiming at Linux users
Linux users are being targeted by a new ransomware strain that has jumped from Windows
Barely a week goes by without news of yet another organization falling victim to the cyber threat of the day, ransomware. Although there will always be outliers such as the security researcher who managed to execute a ransomware attack on a coffee machine, and yes, you read that right, the vast majority will have targeted users of one Windows operating system or another. That is changing, however, and now ransomware is adapting to compromise Linux servers.
Ransomware is a hugely profitable business; the Ryuk threat operators are said to have made $34 million (£25.8 million) from just one successful attack, for example. Perhaps the highest-profile operator, the REvil cybercriminal group, allegedly makes more than $100 million (£76 million) a year from extorting ransom payments. Ransomware is, in my never humble opinion, the most prominent cybersecurity threat organizations face today.
The evolution of ransomware has been relatively rapid. The introduction of a data exfiltration element that downloads data before locking up the network being the primary driver of recent extortion success. This involves demanding payment to provide a decryption key and, supposedly, prevent the publication of confidential data stolen during the attack. I say supposedly because security researchers say, unsurprisingly, if you ask me, that paying the ransom doesn't always mean the threat actors delete that data. Sodinokibi victims have been double-extorted, and Netwalker victims have had data published after paying up.
Nor am I surprised that ransomware is evolving to include Linux users. This follows a cybercrime pattern; back in August, the FBI warned about a cyberespionage threat to Linux called Drovorub, for example. This was apparently developed by Russian military hackers and has been deployed in real-world attacks.
Now Kaspersky researchers have detailed a new file-encrypting Trojan called RansomEXX that attacks Linux machines. This is, the researchers said, a highly targeted Trojan. So much so that each code sample they examined contained the name of the organization being attacked. What's more, this is also a very real-world threat as large organizations have already fallen victim to RansomEXX. Kaspersky cites attacks on the Texas Department of Transportation and Konica Minolta.
RansomEXX itself, however, is not new: it's been a prevalent Windows threat for some time. What is new is the porting of the ransomware to Linux, the targeting of Linux servers directly. As far as I am aware, this is the first time that Windows ransomware has made this operating system jump. Although it must be pointed out that Linux servers have, of course, been successfully targeted by ransonware actors before. There are some Linux specific threats already, and the likes of RansomEXX have infected Linux servers after using Windows as a gateway for the attack. But it does show how the threatscape is evolving, with this porting of a dedicated Windows threat into a Linux one.
"Although not unique, it is rare to see ransomware appear on Linux," Gavin Matthews, a product manager at Red Canary, said, "while cloud assets can often be reimaged or redeployed to remove threats like ransomware, the increase in Linux threats stresses the need for better detection and protections against threats that bring down applications, put customer data at risk, and hurt business operations."
Mitigation against Linux ransomware threats is no different from mitigation against Windows ones: get the security basics right. This means addressing the human factor with a focus on security awareness and training, and that includes everyone from the shop floor to the top floor. Multiple intrusion prevention layers from simple spam-filtering to DNS protection are a no-brainer. Ditto when it comes to patch management to keep everything as attack-resistant as is possible in terms of not enabling vulnerabilities to give attackers an entry point to your networks and data. Not forgetting the principle of least privilege and robust password management.
Your goal is to make access to the system as difficult as possible, and if an attacker manages to get that far, make movement around the network as difficult as possible.
