Ransomware: What Are Linux Users Up Against?

Attackers have increased their attacks against Linux-based devices over the past year, taking advantage of several key factors. From general complacency to the hyperconnectivity of the public cloud or Internet of Things (IoT) devices, it has become easier to initiate an attack against Linux infrastructures. That’s why it’s crucial for Linux administrators and users to understand the characteristics of the most common Linux attack vectors.

Attacks Take Advantage of Hyperconnectivity

With the number of IoT devices using Linux now hitting the 40% mark, the advantages of Linux isolation are eroding rapidly. These devices include everyday items, such as ATMs, pin pads, and smart appliances. And as the consumer demand and availability expectations for these devices continue to grow, so will the necessity for improved hyperconnectivity.

Brute force attacks are the most prevalent mode of engagement used against these hyperconnected devices. The type of brute force attack used against Linux-based devices spans the same range as those targeting Windows devices, from simple or dictionary attacks to rainbow table or credential stuffing attacks.

3 Major Linux Ransomware Players

There are three key ransomware families in the Linux world that all Linux administrators and users should become familiar with. These are:

• Mirai. Its source code first became available in 2016, and it now has multiple variants in the wild. It’s a Linux-based trojan that infiltrates via Telnet and Secure Shell (SSH) to deliver brute-force attacks.
• Mozi. It attacks Linux systems in the same way as Mirai, except it will then block Telnet and SSH ports to prevent other attacks from interfering with the peer-to-peer botnet network it creates. This botnet works by using a system’s distributed hash table (DHT) to hide communications from admins and security tools.
• XorDDoS. This attack has seen a meteoric rise of more than 250% percent in the past six months. The XorDDoS family creates its own variants to target ARM, x86, and x64 Linux architectures. In doing so, XorDDoS increases its chances of successful execution within a targeted system.

Fileless Attacks Are an Emerging Trend

An open-source tool called Ezuri is making steady progress as an attack vector of choice. Written in Golang, Ezuri encrypts ransomware code that is then executed directly from system memory. This leaves no trace behind for post-incident analysis, and is difficult to detect by current security software. One hacker group, TeamTNT, is well known for using this attack tool to go after improperly configured Docker systems.

Don’t Assume Linux Is Safe

Although many in Linux circles will testify to Linux’s reputation is being more secure than Windows, it is clearly becoming a bigger target. The tools used by actors continue to evolve to include common configuration flaws and vulnerabilities within all flavors of Linux.

This can be combated simply by adhering to configuration and security best practices in the management of any Linux device. First and foremost, don’t become lulled into a false sense of security, thinking that Linux is immune to ransomware. The reality is that almost nothing is.