Once upon a time, Linux was thought of as being the most secure from ransomware of all operating systems. This reputation stemmed from its relatively low adoption rate when compared to Microsoft Windows, and the lack of Linux-based programming skills within the general IT community.
However, ransomware developers have an uncanny knack for quickly bounding ahead, and have done so with Linux. The days of Linux being thought of as relatively immune from attack are quickly fading, as attack vectors into the many flavors of this OS begin to spike.
Code Diversity Spells Trouble for Linux Admins
New coding techniques are being used by ransomware developers that allow for quicker turnarounds for the targeting of security flaws. In turn, this provides quicker service for Ransomware-as-a-Service (RaaS) providers so that actors can take advantage of patching cycles or, even worse, the false lull of security that some Linux users still feel.
RaaS providers have taken notice and are addressing their shortcomings in the Linux arena. This is bad news for Linux users. Developers are building products based on specific flavors of Linux, such as RedHat and Ubuntu, and are offering many of the same benefits that Mac-based or Windows-based RaaS customers now have at their fingertips.
The diversity of code being created to exploit different versions of Linux still stick to the proven social engagement techniques used against other platforms. This makes the pillars of education and security best practices the best initial mitigation steps against the expansion of ransomware code.
Virtualization Dependencies Adding Fuel to the Fire
The growing dependency on virtualized environments, both from a user and IoT perspective, has also triggered a growth in Linux-based ransomware incidents. Again, the promise of high security comes into play with these, as do the potential holes in public and hybrid cloud configurations, all serving to pave the way for an increased volume of attacks against Linux-based devices.
Several factors, though not necessarily impactful to just Linux devices, are contributing to the rise in Linux-based ransomware targets. These include:
- Virtual machines (VMs) and/or supporting stacks not being turned off when not being used
- Expanded use of templates or broad policies, such as Azure Resource Manager and Blueprints, make systems easier to predict
- Improper usage of horizontal and vertical VM scaling
- Incorrectly managed shared responsibilities with cloud provider. For example, managing a PaaS model infrastructure as if it were an IaaS infrastructure
The system-wide templates offered by cloud providers reproduce the same flaws in the original to every virtual device created using them. By producing these flaws, attackers can quickly inject malicious code into multiple systems for later execution. Making maters worse, data replication across virtual devices can lead to widespread damage, including the corruption of core hypervisors.
It’s safe to say that Linux administrators must now remain just as vigilant as their Mac or Windows-based colleagues. Although ransomware attackers may have taken the Linux world by surprise, the same core best practices still apply to head off a would-be attack and keep Linux-based systems running with limited risk of compromise.
