Linux Ransomware Threats: How Attackers Target Linux Systems
Ransomware has evolved to target Linux systems. Learn about methods for infection and how to protect your IT environments from attacks.
Ransomware is one of the most prolific and dangerous cybersecurity threats facing computer users worldwide. Modern ransomware operators target a variety of platforms, including Linux. Organizations rely heavily on Linux for critical infrastructure, such as cloud environments and servers, making them attractive targets for ransomware operators and other Advanced Persistent Threat (APT) groups.
“Double extortion” is a tactic commonly employed by ransomware operators. In addition to encrypting an organization’s files and demanding a ransom for the decryption key, attackers exfiltrate sensitive data. If the organization fails to pay the ransom, the attackers threaten to release the stolen data publicly or sell it. Such data leaks can be devastating, as the exposure of sensitive information can lead to a catastrophic loss of trust with consumers, who may choose to take their business elsewhere.
This article will examine the growing trend of attackers targeting Linux systems and explain how to protect your systems against these threats.
The Evolution of Ransomware and Its Impact on Linux Systems
Ransomware is malware that encrypts a victim’s data and demands payment for the decryption key. Victims usually receive a dark web link, accessed through The Onion Router (TOR), to ensure the attackers’ anonymity. The link contains instructions on how to make a cryptocurrency payment to meet the ransom demand.
Linux was once considered a less likely target for ransomware, but this perception has changed drastically. Linux now powers many of the world’s servers, data centers, and cloud environments, making it increasingly vulnerable malware operators seeking large ransom payouts from organizations.
Examples of Ransomware Campaigns Targeting Linux Systems
Let’s review a few of the most recent ransomware types targeting Linux systems:
DarkRadiation
DarkRadiation is a ransomware variant that targets Red Hat and Debian-based Linux distributions. Discovered in 2021, DarkRadiation is notable for using Bash scripts to execute malicious commands. It spreads through networks by leveraging Secure Shell (SSH), exploiting systems with weak credentials and unpatched vulnerabilities.
DarkRadiation uses obfuscation techniques such as base64 encoding and encryption via OpenSSL to evade detection. Once executed, the malware encrypts the victims’ files using the AES-256-CBC algorithm and appends the “.encrypted” extension to the affected files. The victim then receives a ransom note.
RansomEXX
RansomEXX is a well-known ransomware variant that has expanded to target Linux systems. Over time, it has played a role in numerous high-profile attacks on government entities, the healthcare sector, and other enterprises. RansomEXX is written in C/C++ and then compiled for Linux.
Initial access methods often include phishing or spear-phishing, exploiting vulnerabilities in remote desktop protocols, or using stolen credentials. Once inside the network, the ransomware operators escalate privileges and move laterally, eventually deploying the ransomware payload to encrypt the victim’s filesystem.
RansomEXX uses the RSA-4096 and AES-256 algorithms for encryption, which makes decryption impossible without the private key. Advanced threat actors typically deploy RansomEXX in targeted attacks involving extensive reconnaissance and the exfiltration of sensitive data. The attacks commonly employ double extortion tactics.
Figure 1. The Conti Locker leaks the locker.cpp file. The Gist is here and the original repository is here, courtesy of gharty03 on GitHub.
Methods of Infection and Common Attack Vectors
Ransomware operators use various methods across different attack vectors to gain initial access to targeted systems:
Phishing and social engineering
Phishing and spear-phishing are common tactics for gaining initial access to systems. Attackers use social engineering to trick targeted individuals into clicking on malicious links or opening documents containing harmful code, which installs additional malware on the system. Once the ransomware executes, it encrypts the victim’s files and demands a ransom.
Figure 2-4. The screenshots below show cleverly crafted phishing pages designed to capture user credentials. Note the URL to see that these are phishing pages, not LinkedIn.
Exploiting vulnerabilities
Exploiting unpatched or unknown (zero-day) vulnerabilities is another method to breach a system or network. These exploits can range from remote code execution (RCE) vulnerabilities to flaws in the Linux kernel. After gaining access, attackers deploy and execute ransomware to encrypt the filesystem.
Weak or compromised credentials
Attackers also exploit weak passwords and poor credential management to gain access to systems. Usernames and passwords not changed from default settings are particularly vulnerable. For example, the Cyberav3ngers APT group recently exploited default settings on Programmable Logic Controllers (PLCs) manufactured by Unitronics Vision to access devices used in industrial applications, such as water supply systems worldwide.
Supply chain attacks
Attackers may compromise a third-party vendor to gain access to target systems. One of the most well-known supply chain attacks was the SolarWinds breach, which compromised multiple U.S. government agencies. By targeting software packages, libraries, and software repositories used in Linux systems, attackers can acquire access to an environment without directly targeting the system itself.
Malicious scripts and executables
Malicious scripts are often delivered through compromised or malicious websites and email attachments. The scripts, commonly written in Bash, Python, and PowerShell, can download and execute ransomware payloads. A typical example is a script that uses the PowerShell Invoke-Expression (IEX) cmdlet to download malware from a malicious domain. The IEX cmdlet can create a Component Object Model (COM) object or a .NET web object to download and execute malware on a system. The user needs only to open or execute a document or link containing the embedded PowerShell code.
Figure 5. This example shows the combination of the Invoke-Expression cmdlet in PowerShell with a .NET web object to download and execute a payload from a malicious domain. Here is the GitHub Gist.
Best Practices for Ransomware Prevention and Response
Here are several best practices to prevent and mitigate ransomware attacks:
Regular backups, data recovery, and business continuity planning (BCP)
Implement strict backup procedures and store backups in a secure and isolated environment to ensure a quick recovery from an attack. These measures are often part of a Business Continuity Plan (BCP) designed to enable swift recovery from incidents that disrupt access to data. However, BCPs and backups do not protect against double extortion, where data might still get leaked even after restoring access.
Patch management and vulnerability scanning
Systems should be continuously updated and patched to address vulnerabilities. Organizations should conduct regular vulnerability scans and promptly remediate any identified vulnerabilities. Automated patch management tools can streamline and enhance the efficiency of this process.
Strong authentication and access controls
Implementing authentication mechanisms, including multi-factor authentication (MFA), is critical for preventing unauthorized access. Organizations should require unique and complex passwords and regularly audit user privileges to ensure that only authorized individuals can access critical systems and data. Organizations should configure SSH with key pairs for remote access to Linux systems.
Network segmentation and firewalls
Segmenting networks can limit the spread of malware in the event of an infection. Organizations should use firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and control communication between network segments. Additionally, organizations can implement privileged access workstations (PWA) to separate systems into categories such as Administrative, Data (servers), and Workstations. PWA ensures that administrative tasks requiring elevated privileges are performed only on isolated machines.
Application whitelisting and execution control
Application whitelisting (or allowlisting) allows only pre-approved and trusted applications to run on a system. It prevents the execution of unauthorized or malicious software, including ransomware. Organizations can combine application whitelisting with execution control mechanisms like SELinux or AppArmor to enforce security policies and restrict what processes can do.
Things to know about application whitelisting and execution control:
Security Control: Proactively mitigate the risk of ransomware execution.
Implementation: Tools like AppArmor, SELinux, and fs-verity can enforce application whitelisting in Linux environments.
Flexibility: Whitelists can be customized according to the needs of administrators and the system.
Challenges: Not without its challenges, application whitelisting requires regular maintenance to keep the list updated.
Security awareness training
Employees should receive regular training on the dangers of phishing and social engineering. Security awareness training helps users recognize and avoid potential threats, reducing the likelihood of successful attacks. Organizations should encourage users to report potential phishing and spam. Additionally, organizations should establish clear procedures for responding to security incidents.
Incident response planning
Incident response plans should cover people, processes, and technology. The U.S. National Institute for Standards and Technology (NIST) publishes an Incident Response Handbook, a good starting point. Best practices include creating playbooks that detail roles, responsibilities, and steps to take during a breach. Organizations should conduct tabletop exercises and drills to test the incident response plan and prepare team members for real-life incidents.
Monitoring and threat intelligence
Implement continuous monitoring and proactive threat hunting using a Security Incident and Event Monitoring (SIEM) tool. Security personnel can collect and analyze logs to detect anomalous activity. Set up alerts, analytics rules for known indicators of compromise, and automated responses. Use playbooks for consistent incident handling. Ensure your SIEM system uses threat intelligence to stay ahead of attackers.
Final Takeaway
Continuous monitoring of your Linux systems is essential for detecting malicious activity and ransomware. A SIEM tool is the best way to achieve this, as it allows for real-time log collection and analysis, alert setup, automated responses, and threat hunting using a query language. Your SIEM system should also integrate with threat intelligence sources to stay updated on the latest tactics of threat actors and ransomware operators.
Additional Resources and Links
Privileged Access Workstations: https://uit.stanford.edu/service/paw
NIST Incident Response Guidelines: https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
Malware samples and resources:
ITPro Today Linux resources:
Disclaimer
This article references open-source code repositories and Gists available on GitHub. Please note the following disclaimer by the author:
The code provided is helpful for red teaming and security operations.
Disclaimer: Any actions you take using this code are entirely your responsibility.
This code is intended for use by security professionals involved in professional red-team engagements and security research.
The code is free and open source.
About the Author
You May Also Like