Linux Ransomware is on the Rise. Here’s How to Protect Your Company

This post was originally published at https://invenioit.com/security/linux-ransomware-attacks-rise/

Does Ransomware Affect Linux?

Yes. Ransomware can infect Linux devices, including Linux servers, PCs and cloud infrastructure.

It’s a common misconception that only Windows systems?are vulnerable to ransomware. While it’s true that?90% of ransomware attacks ?target?Windows, the rise of Linux ransomware is cause for legitimate concern. In 2024, new and emerging threats from hacker groups like Eldorado are increasingly targeting Linux machines , which should raise alarm bells for businesses in every sector.

Read on to learn how ransomware has evolved in Linux systems, including information about what Linux devices are under attack by ransomware and how to improve your organization’s prevention and recovery practices.

What is Ransomware?

Before we dig into the details of Linux ransomware, let’s do a quick refresher on the basic concept.

Ransomware is a form of malware that encrypts files on your computer systems, preventing you from accessing them and, in the worst circumstances, paralyzing your business’s operations.

Ransomware is unique from other types of malware in that cyber attackers do not only destroy or steal data. They also demand payment in exchange for the restoration of your files. With an average remediation cost of?$1.4 million , these attacks can be devastating for businesses.

Organizations that fall victim to ransomware attacks can also suffer from serious data loss because, even when they pay the ransom, there is no guarantee of full restoration.

Why is Linux Ransomware a Concern?

Considering that Linux ransomware represents a relatively small share of attacks, it’s reasonable to question why businesses should bother to be concerned. There are a few key data points that demonstrate why every company using Linux, anywhere in its infrastructure, should take the threat of ransomware seriously:

●????? Although Windows dominates the desktop market, Linux is the overwhelming favorite when it comes to servers and?supercomputers . Linux runs on an estimated 80% of web servers globally.

●????? Linux is the most common O/S for constrained, embedded and IoT devices in industries like energy and manufacturing.

●????? Linux drives most of the U.S. government and military networks , and U.S. financial systems.

●????? Experts valued the global Linux market size at?$5.33 billion in 2021 ?and project that it will?grow to $22.15 billion by 2029.

●????? In 2021,?47% of software development ?occurred on Linux-based systems.

●????? There was a staggering?75% increase ?in ransomware attacks targeting Linux systems in the first half of 2022 compared to the first half of 2021.

●????? There has been a?rise in cross-platform ransomware ?that can jump between Linux, iOS and Android systems.

There have been ransomware attacks on Linux-based systems for several years. However, as the market grows and cybercriminals sharpen their focus on new targets, it will become even more important for businesses to protect themselves, particularly as high-profile targets are becoming the norm.

In August 2022, for example, the?government of Chile ?revealed that they had experienced a ransomware attack targeting both their Windows and Linux-based systems. More recently, attacks have used new variants of Mallox ransomware (formerly known as TargetCompany, Mawahelper and Fargo) to target Linux machines.

How is Linux Ransomware Different from Windows Ransomware?

The fundamental features of Linux ransomware and Windows ransomware are the same. However, because they are often used for different purposes, there is some variation in how the attacks play out.

Vulnerabilities

According to a study by Verizon,?82% of data breaches ?involved human elements, including errors and misuse. This has long been an issue for Windows systems, where phishing emails and stolen credentials give cyber attackers easy access to data.

Because Linux is less popular as a desktop operating system and many Linux users are technology professionals, ransomware gangs have to look for different points of attack. Rather than relying on emails, they often search for vulnerabilities, such as out-of-date patches, and use them to gain entrance to Linux systems.

Double Extortion

Ransomware attacks on Linux-based systems are often more complex, which means that the criminals behind them might look for bigger payouts. While double extortion schemes exist in the world of Windows, they are especially common?in Linux ransomware attacks.

In these scenarios, criminals will threaten not only to keep the data encrypted but also to leak it online. This places additional pressure on businesses that could be permanently damaged by the release of sensitive client, customer, employee or company data.

How Does Linux Ransomware Work?

Linux ransomware works in much the same way as ransomware attacks on other systems, including Windows. Once a cybercriminal identifies a target, they find ways to exploit their vulnerabilities and infect their systems.

Attack Steps

There is no one-size-fits-all description of the ransomware process, but the essential stages are generally the same. During an attack, ransomware typically:

●????? Infects:?Using a vulnerability (like an unpatched system), the ransomware downloads, copies and launches a malicious executable to a local directory.

●????? Stages:?The ransomware moves itself to a new folder and establishes persistence, which allows it to enable capabilities like the ability to run at boot or in recovery mode.

●????? Scans:?Once it has established persistence, the ransomware scans systems to locate and map a set of file extensions and file storage repositories.

●????? Encrypts:?After identifying target files, the ransomware encrypts them, deletes the originals, and generates ransom notes.

●????? Extorts:?When the files have been encrypted, the ransomware terminates and deletes itself, the victim discovers the ransom notes, and the operator waits to receive the ransom payment.

When the ransomware encrypts files and makes the ransom demand, the victim is left with no choice but to pay the ransom (which, for the record, is almost?never advisable ) or restore data from a backup.

Examples of Linux Ransomware

To get a better picture of how Linux ransomware operates, let’s explore three types that have emerged as significant threats since 2020. These ransomware strains are indicative of how a cybercriminal goes about infecting and encrypting a victim’s Linux system.

LockBit

LockBit is one of the most prominent families?of Windows ransomware. In October 2021, experts began detecting cases of LockBit Linux-ESXi Locker Version 1.0 on Linux systems. LockBit uses a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption. It has the capability to log:

●????? Processor information

●????? Volumes in the system

●????? Virtual machines for skipping

●????? Encrypted files and total files

●????? Encrypted virtual machines and total virtual machines

●????? Total encrypted size

The LockBit variant contains the commands necessary to take several harmful?steps, including suspending virtual machines, checking the?status of data storage and disabling autostart. Once the ransomware infection is installed, LockBit demands a ransom and threatens to release data?if their demands are not met.

Cheerscrypt

In 2022, cybersecurity experts detected?a new ransomware variant known as Cheerscrypt, a derivative of the Babuk malware family that?targets?ESXi servers. Many enterprises use ESXi, making it a logical target for cyberattacks. Unfortunately, the widespread use of ESXi means that successful attacks could cripple the operations of important services and infrastructure.

Once it has been executed, Cheerscrypt terminates virtual machine processes with specific extensions:

●????? .log

●????? .vmdk

●????? .vmem

●????? .vswp

●????? .vmsn

This enables it to encrypt files with a .Cheers extension. As with many other Linux ransomware attacks, Cheerscrypt is a double extortion scheme that demands payment for data restoration and to prevent leaks. For each directory that is encrypted, a ransom note will appear.

AvosLocker

Another form of ransomware that targets ESXi servers is AvosLocker. Although it previously only targeted Windows, in 2022, AvosLocker became capable of encrypting Linux systems as well. Once it is launched, AvosLocker terminates ESXi machines and adds the extension .avoslinux to encrypted files.

Ransom notes generated by AvosLocker warn victims against shutting down their computers and provide a link to receive more information about paying the demanded ransom.?According to Bleeping Computer, AvosLocker has issued a?$1 million ransom ?demand to at least one victim.

What are the Most Common Types of Linux Ransomware?

New?strains and variants of ransomware ?are constantly under development, which can make it a challenge for security experts to track and prevent them. Monitoring has revealed several kinds of ransomware that have infected Linux systems in the past several years.

Some?types of ransomware are created specifically to target Linux systems. Others have been developed that can jump between Windows and Linux systems. Some of the most common types of Linux ransomware include:

●????? Mallox ransomware, previously known to breach Windows MS-SQL servers, was updated in 2024 to target Linux devices via a custom Python script.

●????? RansomEXX, also known as Defrat777, has attacked targets including the Texas Department of Transportation, Tyler Technologies and the Brazilian government.

●????? Hive’s?sophisticated Linux ransomware targets ESXi platforms.

●????? REvil, which operates as?ransomware-as-a-service (RaaS) and has attacked organizations like National Western Life and Erecat,?began targeting Linux systems in 2021.

●????? Mespinoza, also known as PYSA, developed a Linux variant in 2020.

●????? DarkSide?is one of the most threatening?types of ransomware and targets both Windows and Linux systems in?business, government and finance organizations around the world.

●????? HelloKitty?expanded into Linux ransomware and began attacking VMware ESXi servers and virtual machines in 2021.

●????? Tycoon?ransomware has targeted higher education institutions, software companies and other businesses.

●????? Erebus?is infamous for its 2017 attack against a web hosting company in South Korea and the $1 million Bitcoin payout that the business agreed to pay.

●????? QNAPCrypt?emerged in 2019 and targets network-attached storage Linux devices.

●????? KillDisk?has had the capability to target Linux since 2017 and makes it impossible for the target system to boot.

●????? SFile?or Escal ransomware first emerged in February 2020 as a threat to Windows systems, but it has since been ported to encrypt files on Linux systems.

Although Windows remains the primary focus of many cybercriminals, the?trend of expanding into attacks against Linux systems?will likely continue and even intensify in the future.

What Linux Devices are Under Attack by Ransomware?

Given the right conditions, ransomware can infect nearly any Linux device. However, some of the most common devices under attack by Linux ransomware are web servers, PCs and network storage devices.

This does not mean that the Linux operating system is inherently vulnerable. Instead, infections are often the result of unpatched vulnerabilities in software running on Linux, misconfigurations or lax security practices.

For example, Linux-based devices, servers and PCs can be infected through email, corrupted websites, misconfigured network settings and known vulnerabilities in applications. A failure to update software or Linux itself can also open the door to exploitation. Weak credentials and user deception via phishing scams and other deceptive tactics are also common entry points of successful ransomware attacks on Linux devices.

Cybersecurity experts have also reported a rise in ransomware attacks targeting Internet-connected devices (also known as IoT or Internet of Things) running on Linux. In late 2023, security firm Kaspersky warned of a sophisticated threat named NKAbuse, which uses the NKN blockchain-based network protocol to hide in Linux and IoT devices. This malware can be leveraged as a “flooder” – to carry out attacks like DDoS – as well as a backdoor to deliver other Linux malware payloads.

So while an infected IoT device may not seem dangerous on the surface, it’s a prime example of how Linux devices can be compromised to cause serious operational disruptions and lay the groundwork for larger ransomware attacks.

Linux Malware: Common Types & Attack Vectors

Ransomware is among the most destructive forms of Linux malware because of the financial havoc that it wreaks. However, it’s?not the only kind of attack that threatens Linux-based systems and devices. There are numerous other types of Linux malware, which include most of the same threats that target Windows systems, such as:

●????? Virus

●????? Trojans

●????? Worms

●????? Botnets

●????? Infected web scripts / web shells

●????? Fileless attacks

Keep in mind that Linux systems are also vulnerable to the wide array of attacks that prey on user error or deception, such as weak passwords, social engineering, brute-force attacks and outdated/unpatched software.

Internet of Things Devices

In addition to servers and cloud services, Linux is also the force that powers many Internet of Things (IoT) devices. The term IoT refers to millions of devices that are connected to the internet, including security systems, motion detectors, refrigerators and cars.

The ubiquitous nature of IoT devices has made them a primary target for Linux malware. Infecting these devices can give cybercriminals the opportunity to access networks, crash systems and use them for distributed denial of service (DDoS) attacks. There was a?77% increase ?in IoT malware from 2021 to the first half of 2022.

Cryptojacking

Cryptojacking occurs when?bad actors take over devices in order to illegally mine for cryptocurrency. The criminals attempt to act in secret, without the device owner realizing that the attack has occurred, which distinguishes this type of crime from others like ransomware. Successful cryptojacking attempts can be extremely profitable.

In the first half of 2022, there were?66.7 million cryptojacking attacks , a 30% increase over the prior year.?Much like?ransomware, cryptojacking software has become a significant risk to Linux-based systems.

Linux Malware Families

According to a?report from CrowdStrike , three Linux malware families have been particularly prominent in recent years:

●????? XorDDoS

●????? Mozi

●????? Mirai

XorDDoS is a Linux trojan that uses SSH brute-forcing attacks to gain control over devices. The number of XorDDoS samples increased by 123% from 2020 to 2021.

Similarly, Mozi, a peer-to-peer botnet network, was 10 times more common in 2021 compared to 2020. It also uses brute-force attacks on SSH ports and prevents their malicious software from being?overwritten.

The last major Linux malware player in recent years has been Mirai, which takes advantage of vulnerable protocols and passwords to attack devices. There have been multiple variants of Mirai, including Sora, IZIH9 and Rekai.?According to CrowdStrike, the prevalence of Mirai variants increased by up to 83% from 2020 to 2021.

Servers Targeted with Linux Malware in New Cryptojacking Attack

In March 2024, cybersecurity firm Cado Security warned of a new cryptojacking attack in which misconfigured Linux servers were targeted with Linux malware

As reported by SecurityWeek, the cryptojacking campaign used new Linux malware payloads to target misconfigured Apache Hadoop, Confluence, Docker and Redis instances. Attackers employed multiple Golang payloads to “automate the discovery and exploitation of vulnerable hosts, as well as a reverse shell and multiple user-mode rootkits to hide their presence.”

More alarmingly, attackers used a command to spawn a new container and created a bind mount for the Linux server’s root directory. This allowed them to write an executable that established a connection to the attackers’ command-and-control servers, through which the payload was delivered. Additional shell scripts were deployed to deliver additional payloads, delete shell history, disable SELinux and uninstall monitoring agents.

It’s not the first time servers were targeted with Linux malware for cryptojacking (Redis itself is a common target for cloud-focused attacks on Linux servers) – and it certainly won’t be the last.

How Can Businesses Protect Themselves from?Linux Ransomware Attacks?

There has been a decades-long debate about whether Linux is inherently more secure than Windows. In the case of ransomware, it’s clear that there is no absolute guarantee of security, which means that it is in every organization’s best interest to take the necessary steps to secure and back up essential data.

1. Minimize the Risk of the Human Element

Although phishing is not the most common attack vector for Linux ransomware, it’s nevertheless essential that every member of your business team receives comprehensive training on how to approach cybersecurity. Ensure that employees know how to watch for malicious links, enforce strict password requirements and ensure that the members of your IT team are regularly updating and installing patches.

2. Use Effective BDR Solutions

Perhaps the most important step you can take to protect your business from the threat of ransomware is implementing high-quality BDR solutions. These tools are designed to circumvent problems by employing a smarter backup process and built-in ransomware detection for systems running on Linux, Windows or Mac.

To ensure that you have rock-solid protection, check to see if it includes:

●????? Ransomware detection:?Look for a?solution that?actively monitors your backups . If a ransomware footprint is detected, it alerts the administrator to restore a clean backup, thus removing the threat, eliminating the need to pay a ransom and preventing costly downtime.

●????? Hybrid cloud:?By storing backups both locally and in the cloud, you maintain quick access to your data and keep it safe from disruptions that occur on-site.

●????? Instant virtualization:?Backups that are image-based, fully bootable virtual machines offer greater protection if your server fails. You can virtualize your protected systems on a backup device or from anywhere via the cloud.

●????? Faster, more resilient backups:?Some ransomware programs scan file dates and select the most recent ones, in part because it’s less likely that the information has been backed up. Solutions with features like Inverse Chain Technology?let?you schedule backups as frequently as every five minutes. This process also eliminates the most commonly occurring problems in the backup chain, ensuring your files are not compromised.

●????? Screenshot verification:?Screenshots verify that your?backups are bootable, so you never have to worry about getting a 3 a.m. wake-up call.

Because ransomware evolves so rapidly, it’s impossible to guarantee that your business will never be susceptible to an attack. However, if you implement BDR solutions with these critical features, you can help mitigate the effects of the attack as much as possible.

3. Plan Your Response in Advance

In order to maximize the chance that your business will survive a ransomware attack, it’s vital that you plan ahead. There are many?steps you can take to?prevent and recover from an attack , such as:

●????? Filtering spam

●????? Limiting access and privileges

●????? Regularly patching?devices

●????? Establishing firewalls

●????? Installing anti-malware and anti-virus software

●????? Recovering data from a backup (rather than paying a ransom)

When you have a strong recovery plan in place, you can react more logically and strategically if an attack occurs.