Though Windows has by far been the most popular target, ransomware is steadily on the rise while spreading to additional platforms.
Likelihood of Attack by OS
A recent Statista study shows that while 91% of attacks still target Windows, 7% now target Apple’s MacOS X. Mobile devices are no longer safe either, with 7% targeting Android and 4% iOS devices. The study omitted Linux, but even it hasn’t escaped attackers’ sights. As I’ve written previously, most of the world’s web servers run Linux, making it a highly profitable target.
Let’s take a quick look at what the landscape looks like beyond Windows.
MacOS
Apple users may have enjoyed a relatively safety off the ransomware radar, but those days are fleeting.
KeRanger emerged in 2016 and is usually delivered via spam attachments. Once infected, it will bide its time for three days, then lock away the victim’s files with 2048-bit RSA encryption.
MacRansom soon followed. Offered as a Ransomware-as-a-Service (RaaS), it’s been targeting Mac users since 2017 and has yet to lose steam. The attacker is hired to build and execute the ransomware, which searches for and encrypts the victim’s personal data, then demands a ransom in bitcoin.
The following year, Mac ransomware attacks spiked 60% and several other variants have followed. Though the Apple landscape seems to be mostly about older variants, it’s only a matter of time before new ones join the fray, especially given the rising popularity of RaaS.
Mobile Ransomware
Attackers have found a way around Apple’s tight security by manipulating the Find My iPhone service, turning it against Apple owners by locking them out of their devices. This requires the attacker to steal the victim’s iCloud password (for which methods are plentiful), which they then use to remotely lock the device. The victim is met with a lockscreen ransom message.
Android ransomware is becoming particularly sophisticated. MalLocker.B and its variants, typically deployed via social engineering, twists the “incoming call” notification to lock the device’s screen until a ransom is paid. If the user tries to swap to another app, it will simply push the message back into the foreground. It even leverages machine learning to ensure it fills the entire screen, regardless of what size device it’s infected.
Linux
Linux attacks forgo the usual phishing methods. Linux users are typically technology professionals with an eye for deception, so ransomware instead exploits known OS vulnerabilities.
A new target surfaced as of this writing: VMware images. Instead of infecting a specific endpoint, ransomware buries itself within a Linux host image. Every time that image is spun up, the infection spreads. Considering how often images are deployed in cloud environments, it’s clear that the damage can be exponential.
Worse yet, Linux attacks often do not simply encrypt files; rather, a “double extortion” attack threatens to both encrypt and leak data to the public.
Opening Pandora’s Box
Encrypting files for ransom was only the beginning. The sheer creativity with which attackers target non-Windows operating systems yields especially severe results. MacOS attacks are on the rise while iOS and Android ransomware are bricking mobile devices. Linux ransomware threatens the very infrastructure of the web, promising to open a pandora’s box of private data leaks.
Operating System | Most Common Deployment | Common Level of Damage |
Windows | All varieties | All varieties |
MacOS | Social engineering | Encrypted personal data |
Mobile (ios & Android) | Stolen credentials & social engineering | Locked out of device |
Linux | Vulnerability exploits | Double extortion |