Linux Ransomware Gangs Wasting No Time in 2022

The volume of malware targeting Linux devices grew 35% over the course of 2021. Some malware families stood out among the rest. For instance, XorDDoS, Mirai, and Mozi accounted for 22% of attacks against Linux systems, reported Bleeping Computer. That’s not surprising, given the fact that there were 10 times as many Mozi samples circulating in 2021 compared to the previous year. Similarly, XorDDoS increased 123% between 2020 and 2021.

These findings are part of a larger trend. An Intezer report found that Linux malware families grew by 40% in 2020 over the previous year. Bleeping Computer also noted that there have already been some Linux malware attacks in 2022, which indicates that the growth of these threats could continue over the next 12 months.

Let’s examine a few of those cases with respect to Linux ransomware.

SFile (Escal)

First detected in February 2020, the initial versions of SFile (Escal) ransomware targeted just Windows systems. Malicious actors used the ransomware to target corporate and government networks over the months that followed, leveraging SFile to encrypt their victims’ files and to drop a ransom note on their affected machines.

Things changed in late 2021. As reported by The Record, that’s when security researchers spotted a Linux variant of SFile. The malware arrived with some changes over its Windows counterpart. These improvements included the ability to encrypt files according to a time range.

AvosLocker

In early January 2021, Bleeping Computer wrote that those responsible for the AvosLocker ransomware operation had added support for encrypting Linux machines. The ransomware terminated all ESXi virtual machines (VMs) upon successful infection, a tactic which reflects many organizations’ shift to VMs in the past few years. It then appended the .avoslinux extension to all encrypted files and dropped a ransom file containing payment instructions.

Bleeping Computer couldn’t find any targets of the AvosLocker Linux variant, but noted that it was aware of at least one victim that received a $1 million demand from the ransomware operation.

Ransomware Rewritten in Go for Windows and Linux Attacks

According to ITPro, researchers witnessed malicious attackers using a new variant of the TellYouThePass ransomware as a second-stage attack after exploiting the Log4Shell vulnerability. The authors of the ransomware used Java and .NET languages to create the ransomware before the threat began circulating in the wild. But this newer version came written in Golang, enabling digital attackers to target users across Windows and Linux machines.

Once they deployed their payload, the attackers issued a ransom demand of 0.05 bitcoin in return for a decryption tool. That ransom amount was worth $2,087.61 at the time of this writing.

How to Defend Against Ransomware Targeting Linux Machines

The attacks described above highlight the need for organizations to defend against ransomware actors targeting their Linux machines. They can do this using the following best practices:

• Use a robust data backup strategy to back up at least three different copies of their data across two different media, with one copy of their data stored offsite (also known as the “3-2-1 Rule”).
• Apply the principle of “least privilege” to restrict access for user accounts. Organizations can use this security measure to limit what malicious actors can do with a compromised account.
• Keep endpoints and devices up to date. Ransomware actors are known for using exploit kits for preying on organizations that haven’t applied security updates for their relevant hardware and software.

Click here for more information on how to prevent a ransomware infection.