Linux ransomware

From ICO wiki

Written by: Farhan Islam-C11 Group

Ransomware in Linux

What is a Ransomware?

Ransomware is a very dangerous malware. It restricts users from accessing their system by either locking the system's screen or locking the user's files till the random is paid. Modern day ransomwares are categorized as Crypto Ransomware, which works by encrypting certain files and forces the user to pay online usually using a crypto currency. After the ransom is paid, the user gets a decryption key, and is able to use that to unlock the system.

How Common is Ransomware in Linux?

Ransomware is very common on Windows, and there are several ways in which a machine can be affected, the most common is through phising. However, in Linux it works a bit differently. On Linux based systems ransomwares target the web server, as the vast majority of Linux users are server users. The functionalities of a Linux ransomware is very similar to Windows ransomware, but one major difference is Linux requires executable permission before executing, but Windows does not. This makes it harder to exploit Linux based systems.

Popular Ransomwares


The existence of linux ransomwares weren't discovered until a couple of years ago. Dr.Web Antivirus detected a certain ransomware that attacked linux based systems. This ransomware was known as Linux.Encoder.1. This ransomware didn't just target any file/folder, it targeted the files & folders associated with the web server, this is usually wherever the document root of the web server is located, but it is not limited to it.The ransomware gets root access to system, and it downloads the files with the hackers demands along with a file that has a path to a public RSA (encryption algortighm) key. After that the malicious program starts as a daemon and deletes the original files. Afterwards, the RSA key is used to store AES (Advanced Encryption Standard) keys, which is used by the malicious program to encrypt files on the infected computer.The Linux.Encoder.1 starts by encrypting all the directories in the web server root. The hackers usually specify a string name for file extensions, or a pattern. The ransomware only encrypts the files that meet that criteria. Some common file extensions that are encrypted include .tar.gz , .jpg, .apk, .pub, .mp4, .html . The following directories are commonly encrypted /home, /root, /var/lib/mysql, /etc/nginx, /var/www. The following are not encrypted /, ssh, /usr/bin, /bin, /etc/ssh


Killdisk is another ransomware on linux, which does not decrypt. According to ESET security experts, the linux version of Killdisk does not save the encryption keys or communicate with command and control. Bottom line, even if someone pays the ransom, there is no actual chance of restoring their files. Killdisk uses a 3D AES with 64 bit crypto keys applied in 4kb blocks. The key is also unique for every file. Killdisk also makes the system unbootable, and modifies the bootloader completely. Killdisk is also known to have demanded exorbitant prices for decryption, even though it does not decrypt.

Safe Practices


Ransomware is usually found in emails and suspicious websites, but it definitely to limited to it. Every user should exercise caution and certain preventive steps should be taken. The following steps shall greatly reduces the chances of being infected with a ransomware.

1.Backup: Backup everything you need, from your databases to important documents. Keep in mind that you have proper backups in multiple location, a ransomware cannot harm you that much. So make a habit of backing up data regularly. This could be done on a USB drive, cloud based storage, etc.

2. Use a Firewall: The uncomplicated firewall on linux is a very basic option,but if configured properly it should do the trick. Usually it's a good idea to block the countries that are infamous for ransomware, namely the domains .cn, .ru, .ro, .in Limiting traffic to ports that are used by you, not more than that. A regular user should allow HTTP port 80, HTTPS port 443 and maybe SSH port 22 if they need it.

3.Use a vulnerability scanner like to ensure that your system is monitored against threats. There is no surefire way to know your system is vulnerable without using a vulnerability scanner. nMap is a basic tool to do this and is available on all linux distros. There is an extensive tutorial on how to use nmap to scan for vulnerability over at [1].

4. Filter executable files in emails : It is not usual to receive an email with an executable file. It would be wise to block at least the following extension types when received as an email attachment .exe, .dll, .bat . Also it is wise to scan a compressed file type before opening it.

5. Software Update: This should go without saying. It is vital to update the system with security updates at all times. In case of linux sudo apt-get upgrade. Also make sure to update the antivirus definition files as soon as they are available.

6. Disable Remote Desktop: Ransomwares regularly target remote desktop environment. If you do not require RDP, block it with a firewall.

What about Antivirus?

Windows users swear by Antivirus softwares, but this is not the case on linux. Truth be told, most antivirus software shall not help detect ransomwares or malwares on linux, since most of the Antivirus companies focus on malwares that infect Windows. Dr.Web is available with a free 3 month trial, and is known have detected a ransomware in the past. Certain systems are more in need of an antivirus than others: 1.If you have the program Wine installed in your system, and you use it to run .exe Windows executables.Scanning these files are crucial. 2.If you have a window based system on your network or a windows partition on your system, you may want to consider an antivirus.

Ransomware Removal & Recovery

Certain ransomwares like killdisk on linux still cannot be decrypted. Fortunately Linux.Encoder.1 can be removed. BitDefender has a script to take on the Linux.Encoder.1. This script is available at . Although the tutorials are on github, there is one vital information that is missing there in case your bootloader was encrypted.

1.Boot into the infected server. If bootloader is locked try booting with live usb stick. Mount the infected partition using mount /dev/xxxx 2.Please follow the github tutorial

There is also a project with over 40 decryption tools. This project was originally started by DNP,Intel,Kasperky and Europol. Although chances of recovering your files aren't that high, it is still a great initiative to not pay the hackers.

Safest Linux Distros

SubGraph OS

Subgraph OS is based on Debian. It is very heavily protected and is ideal for the truly paranoid. It comes with the following features:

1.Mandatory Full Disk Encryption: Users have no choice but encrypt the entire disk. Subgraph uses shadow encryption, as a result data is protected even if you lose your hard drive or if it fall's into the wrong hands. In other words, your data will not be lost.

2.Online Anonymity: Subgraph routes all your traffic through TOR anonymity network by default, making it difficult for attackers to figure out the actual physical location of their targets. This would ensure the endpoint security.

3.Advanced Proxy Settings: Communications to outside world is carried out by Metaproxy, and it identifies legitimate connections.

4.Kernel Security: Subgraph OS is also hardened by Grsecurity – a set of patches that are designed to make Linux kernel's security vulnerabilities like memory corruption flaws far more difficult to exploit.

5.Oz: Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected. Oz makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.

Qubes OS

Qubes OS is yet another Linux distribution with higher level of security. Qubes OS is actually a really nice mix of Fedora,Debian and Whonix. It uses the Xen for virtualization and RPM package manager. Some notable security hardened features on Qubes OS:

1.Isolated from the rest: Qubes confines each part of the OS by compartmentalizing them.Each component of the OS is relegated to a domain structure that is isolated from all other domains. The applications in Qubes OS run inside a completely seperate VM and even simple copy paste tasks requires Authorization.

2.Self-destruction:If you open a disposable domain, whatever you run and whatever data you generate from apps within it cease to exist when you close that domain. If you open a Web browser in a disposable domain and stumble on an infected website, the foreign substance would be deleted automatically when the domain closed.


Although most ransomwares are meant for Windows, that doesn't mean you are hundred percent safe of Linux. As discussed earlier, a user's best weapon to fight against a ransomware is Backup. If a user follows all the preventive steps they will be far more safer than os OSX or Windows. Furthermore, by using security hardened distro like Subgraph OS, the user will be far more safe than something like Ubuntu. At the end of the day, no system is invulnerable, now matter how secure it is. It is important to not give up, and almost never pay the ransom. Alternative movements like The No More RansomWare Project is great initiative, and has the potential greatly minimize the risk of ransomwares. Last but not least, the usage of a firewall is paramount to preventing ransomwares.


1. 2. 3. 4. 5. 6.