Linux Ransomware

Rob

Administrator
Staff member
Joined
Oct 27, 2011
Messages
1,207
Reaction score
2,239
Credits
3,467
A few people have asked me over the past week whether or not Linux is susceptible to ransomware attacks. While the answer is fairly straight forward, let's go over a couple things here first.

First, the whole idea of ransomware is to go after a large group of users / machines to get the biggest payday. Right now, that large group is users running end-of-life or out of date Windows machines. They're also a good target because a large percentage of them are not making timely backups of their files, which means they're very likely to pay a minimal bounty of (US)$300-600 to get their only copy of their data back.

How does ransomware work?

Common ransomware (like the infamous wannacry variant that ran rampant last week) infects the system like a virus. It then encrypts data on the machine and alerts the user that they need to pay a ransom, usually bitcoin, in order to get a key to decrypt their files. If they don't pay, then they can't use their system anymore unless they wipe and reinstall... losing all of their data in the process.

Again, these ransomware authors are looking for the biggest payday, so they'll write software for what they believe is the biggest market. That's currently Windows software.

So, no ransomware for Linux then?

Well, there has been some out there, probably the most well known being Linux.Encoder.1 (see Wikipedia article here). The original version of the software would target an exploit in Magento software, then get in and encrypt files on the web server. Other more recent versions/variants use either vulnerabilities in web software or brute force ssh logins to gain access to the server in order to encrypt data. They'll target things like the user's home directory as well as anything with the word backup in it.

Thing is, most webmasters / server admins have backups of the data so it just ends up being a big pain in the ass to restore the data, but nothing that's going to cripple the business.

So, i'm safe on my desktop then?

If you're running a Linux desktop on a private network, keep it updated and don't stick random flash drives into it, I wouldn't worry at all about ransomware. I certainly don't.

You're 100x safer running Linux than you would be running any Windows variant IMO. Well, at least until Linux overtakes Windows on the desktop ;)
 
Last edited:


A few people have asked me over the past week whether or not Linux is susceptible to ransomware attacks. While the answer is fairly straight forward, let's go over a couple things here first.

First, the whole idea of ransomware is to go after a large group of users / machines to get the biggest payday. Right now, that large group is users running end-of-life or out of date Windows machines. They're also a good target because a large percentage of them are not making timely backups of their files, which means they're very likely to pay a minimal bounty of (US)$300-600 to get their only copy of their data back.

How does ransomware work?

Common ransomware (like the infamous wannacry variant that ran rampant last week) infects the system like a virus. It then encrypts data on the machine and alerts the user that they need to pay a ransom, usually bitcoin, in order to get a key to decrypt their files. If they don't pay, then they can't use their system anymore unless they wipe and reinstall... losing all of their data in the process.

Again, these ransomware authors are looking for the biggest payday, so they'll write software for what they believe is the biggest market. That's currently Windows software.

So, no ransomware for Linux then?

Well, there has been some out there, probably the most well known being Linux.Encoder.1 (see Wikipedia article here). The original version of the software would target an exploit in Magento software, then get in and encrypt files on the web server. Other more recent versions/variants use either vulnerabilities in web software or brute force ssh logins to gain access to the server in order to encrypt data. They'll target things like the user's home directory as well as anything with the word backup in it.

Thing is, most webmasters / server admins have backups of the data so it just ends up being a big pain in the ass to restore the data, but nothing that's going to cripple the business.

So, i'm safe on my desktop then?

If you're running a Linux desktop on a private network, keep it updated and don't stick random flash drives into it, I wouldn't worry at all about ransomware. I certainly don't.

You're 100x safer running Linux than you would be running any Windows variant IMO. Well, at least until Linux overtakes Windows on the desktop ;)
Well hello there, good sir..... :3 Gee, it's not even 6:00 A.M. here right now..... :3 Anywho, thank you for this informative Post..... :3 But, I wonder how far the "Market Share" thing goes..... :) Now, I'm just an ALRIGHT Programmer, but if I were to target an O.S. like Windows, it wouldn't be JUST because of it's Market Share, but also because of how EASY it can be to infect it..... :) I study C#, among other Languages, and I looked up Privilege Escalation in Windows, and, so far as I know, it's still possible to write up a short C# Program, Compile it, and boom!..... :3 Now again, I'm sure you know more than I do, as you're a Web Developer as WELL as a Programmer, but I wonder if some people don't target Linux as often, because of it's better design..... :) The same can be said of the BSDs, ESPECIALLY OpenBSD, which is Security-focused to a point where people use it as a Firewall..... :) I've got some stories of trying to Multi Boot with OpenBSD, yes I DO..... :3 Also the end of your Post about the Linux Desktop.....? I see what you did there....... :D Have a good day, ok.....? :3
 
Also, there's this, so others can see what running WannaCry in WINE can do..... :3

 
If you're running a Linux desktop on a private network, keep it updated and don't stick random flash drives into it, I wouldn't worry at all about ransomware. I certainly don't.

About destkop computers and smartphones, don't forget javascript ransomwares. Since its first occurrence in early 2016, I had sandboxed my firefox with AppArmor.

Ref : Ransom32 is the first Ransomware written in Javascript, Lawrence Abrams, January 3, 2016, bleepingcomputer.com
 


Top