The volume of malware targeting Linux devices grew 35% over the course of 2021. Some malware families stood out among the rest. For instance, XorDDoS, Mirai, and Mozi accounted for 22% of attacks against Linux systems, reported Bleeping Computer. That’s not surprising, given the fact that there were 10 times as many Mozi samples circulating in 2021 compared to the previous year. Similarly, XorDDoS increased 123% between 2020 and 2021.
These findings are part of a larger trend. An Intezer report found that Linux malware families grew by 40% in 2020 over the previous year. Bleeping Computer also noted that there have already been some Linux malware attacks in 2022, which indicates that the growth of these threats could continue over the next 12 months.
Let’s examine a few of those cases with respect to Linux ransomware.
First detected in February 2020, the initial versions of SFile (Escal) ransomware targeted just Windows systems. Malicious actors used the ransomware to target corporate and government networks over the months that followed, leveraging SFile to encrypt their victims’ files and to drop a ransom note on their affected machines.
Things changed in late 2021. As reported by The Record, that’s when security researchers spotted a Linux variant of SFile. The malware arrived with some changes over its Windows counterpart. These improvements included the ability to encrypt files according to a time range.
In early January 2021, Bleeping Computer wrote that those responsible for the AvosLocker ransomware operation had added support for encrypting Linux machines. The ransomware terminated all ESXi virtual machines (VMs) upon successful infection, a tactic which reflects many organizations’ shift to VMs in the past few years. It then appended the .avoslinux extension to all encrypted files and dropped a ransom file containing payment instructions.
Bleeping Computer couldn’t find any targets of the AvosLocker Linux variant, but noted that it was aware of at least one victim that received a $1 million demand from the ransomware operation.
According to ITPro, researchers witnessed malicious attackers using a new variant of the TellYouThePass ransomware as a second-stage attack after exploiting the Log4Shell vulnerability. The authors of the ransomware used Java and .NET languages to create the ransomware before the threat began circulating in the wild. But this newer version came written in Golang, enabling digital attackers to target users across Windows and Linux machines.
Once they deployed their payload, the attackers issued a ransom demand of 0.05 bitcoin in return for a decryption tool. That ransom amount was worth $2,087.61 at the time of this writing.
The attacks described above highlight the need for organizations to defend against ransomware actors targeting their Linux machines. They can do this using the following best practices:
Click here for more information on how to prevent a ransomware infection.