June 10, 2020

Linux Ransomware: What You Need to Know to Stay Safe

Ransomware is a sophisticated form of file-encrypting malware that attacks the victim’s data and locks it. The attacker then demands that the victim pays a ransom ranging from hundreds to thousands of dollars so that his/her files can be restored. The main targets for ransomware creators are businesses, schools, hospitals, and various government institutions.

The main characteristics of ransomware that set it apart from other forms of malware include:

  • It features unbreakable encryption meaning the files cannot be decrypted.
  • It can encrypt all types of files, including images, videos, and documents.
  • The infection can be easily spread to other computers in the network.
  • It adds different extensions to your file names.
  • The file names become scrambled, so you can’t easily tell which file has been affected.
  • The victim gets a notification that they have been hacked and that they need to pay a ransom to get their data back. There’s a time limit, after which the ransom has to be raised, or the data is completely destroyed.
  • The payment is supposed to be made in Bitcoin to avoid tracking.
  • Sometimes it includes geographical targeting. For example, the ransom notification may be sent in a certain language to increase the ransom’s chances of being paid.
  • It may also extract personal information such as the victim’s passwords, usernames, and emails and send it to a server controlled by the attackers.
  • It uses evasion techniques to go unnoticed by conventional antivirus programs.

Are LINUX machines safe from ransomware?

Many Linux users dismiss ransomware as another “Windows problem.” This couldn’t be further from the truth. There are no in-built mechanisms in Linux, but the usage standards protect users from ransomware.

In the past, there were very few reported Linux ransomware attacks. This may be attributed to the fact that there are no loopholes on Linux like there are on Windows machines with unpatched security.

However, Linux ransomware has shown a growth curve for the past couple of years, and this is quite worrying. This is as Linux machines become a target for these kinds of attacks. Not so long ago, a new family of ransomware known as Lilocked or simply Lilu infected thousands of Linux servers and blocked access to the files. This ransomware mainly targets a small subset of files stored on Linux web servers such as HTML, PHP, and CSS. The ransomware adds “.lilocked” to the affected files’ names and then sends a notification asking victims to make a payment on the dark-net.

Here are some of the ways in which Linux systems’ standards and policies are set up to help protect against ransomware attacks:

  1. Linux does not automatically install software from the internet. First, you have to whitelist the repository and give your permission even if you logged in as admin.
  2. Linux updates only take place from trusted sources, so forced updates are impossible unless somebody hacks into your machine, which is quite difficult.
  3. Even if ransomware somehow got into your computer, ubuntu would shut down the machine quickly so that no further damage is done.

However, you need to keep in mind that all these policies do not guarantee ransomware protection. You should always be very careful when adding PPAs into your repository list.

Notorious Linux Ransomware Attacks

Here are some of the ways in which Linux ransomware attacks may be characterized:

Reconnaissance

The attacks don’t feature extensive target reconnaissance. They target as many systems as possible so that the attackers can profit from the ransom paid. The approach seems to be changing as more ransomware attacks are now targeted towards large organizations.

Weaponization

The attacks are first pre-weaponized, whereby a social engineering loophole is used to reach as many vulnerable systems as possible. With improved defenses on the side of organizations, attackers are responding by fine-tuning their attacks to targeted organizations.

Delivery

The attacks get delivered through email phishing. However, since Linux systems are more robust, the attacks target server vulnerabilities.

Exploitation

The attacks take advantage of the human element through the use of social engineering,

Actions on Objectives

The attacks block authorized users from accessing data with the aim of extorting money from the victims. Another intention of the attack would be to gather user information and send it to the servers for sale on the black market.

How to protect your machine against Linux ransomware

Until not so long ago, windows were the primary target for ransomware attacks. Attackers then started moving towards Mac and Linux. The reason behind that is that Linux-enabled machine users are increasing. Traditionally, one would have felt rather safe using a Linux system. But all this has changed now, and many Linux users are scared of becoming victims.

You can easily protect your machines from Linux ransomware by having a data backup strategy. This will make it possible for backup accounts to access production systems but, at the same time, block these accounts from writing any type of backup. This backup strategy should then be linked to a sophisticated data-centric tool. The tool should combine access control with encryption as well as other security measures.

Smart backup and restore is the ultimate defense against ransomware attacks. The only problem with this kind of defense is the downtime that administrators need to restore the affected systems to how they were before the attack. The backup and restore measures should be put to test every once in a while to see if they serve the purpose. Other defenses include firewalls, secure configurations, and automated configuration management.

How else can someone protect their Linux system from ransomware infection? Here’s how:

  1. Keep your operating system patched and updated to eliminate any vulnerability. A hardened OS is practically impossible to attack. Not only Linux but other relatively secure OS like macOS may suffer from malware.
  2. Installing a reliable antimalware program and ensuring that it’s up-to-date
  3. Not storing very important files on your computer. Store it on an external hard drive as well as on the cloud
  4. Sync data stored on the Google drive or dropbox often.
  5. Adjust your browser‘s security and privacy settings for improved security
  6. Remove all outdated add-ons and plugins such as Adobe Flash from your browser.
  7. Use an ad-blocker to eliminate the threat of potentially malicious ads
  8. Never open suspicious emails from unknown senders.

Conclusion

The concentration of data on Linux systems has greatly influenced the rise in the number of attacks. Ransomware attacks against Linux are more likely to exploit poor configuration and remotely exploitable vulnerabilities. Luckily, there are viable defense mechanisms that work to protect users against these attacks. The defenses must be checked regularly to make sure that the data is protected.

Leave a Reply

Your email address will not be published. Required fields are marked *