Linux ransomware - Revision history

Fislam at 00:00, 12 June 2017

2017-06-12T00:00:38Z

← Older revision		Revision as of 03:00, 12 June 2017
Line 62:		Line 62:
	Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected. Oz makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.		Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected. Oz makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.

	===Qubes OS===		====Qubes OS====
	Qubes OS is yet another Linux distribution with higher level of security. Qubes OS is actually a really nice mix of Fedora,Debian and Whonix. It uses the Xen for virtualization and RPM package manager. Some notable security hardened features on Qubes OS:		Qubes OS is yet another Linux distribution with higher level of security. Qubes OS is actually a really nice mix of Fedora,Debian and Whonix. It uses the Xen for virtualization and RPM package manager. Some notable security hardened features on Qubes OS:

Fislam: /* Safest Linux Distros */

2017-06-11T23:59:44Z

Safest Linux Distros

← Older revision		Revision as of 02:59, 12 June 2017
Line 61:		Line 61:
	5.Oz:		5.Oz:
	Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected. Oz makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.		Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected. Oz makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.

			===Qubes OS===
			Qubes OS is yet another Linux distribution with higher level of security. Qubes OS is actually a really nice mix of Fedora,Debian and Whonix. It uses the Xen for virtualization and RPM package manager. Some notable security hardened features on Qubes OS:

			1.Isolated from the rest: Qubes confines each part of the OS by compartmentalizing them.Each component of the OS is relegated to a domain structure that is isolated from all other domains. The applications in Qubes OS run inside a completely seperate VM and even simple copy paste tasks requires Authorization.

			2.Self-destruction:If you open a disposable domain, whatever you run and whatever data you generate from apps within it cease to exist when you close that domain. If you open a Web browser in a disposable domain and stumble on an infected website, the foreign substance would be deleted automatically when the domain closed.

	==Conclusion==		==Conclusion==

Fislam: /* Safe Practices */

2017-06-10T17:55:21Z

Safe Practices

← Older revision		Revision as of 20:55, 10 June 2017
Line 31:		Line 31:

	6. Disable Remote Desktop: Ransomwares regularly target remote desktop environment. If you do not require RDP, block it with a firewall.		6. Disable Remote Desktop: Ransomwares regularly target remote desktop environment. If you do not require RDP, block it with a firewall.

			===What about Antivirus?===
			Windows users swear by Antivirus softwares, but this is not the case on linux. Truth be told, most antivirus software shall not help detect ransomwares or malwares on linux, since most of the Antivirus companies focus on malwares that infect Windows. Dr.Web is available with a free 3 month trial, and is known have detected a ransomware in the past. Certain systems are more in need of an antivirus than others:
			1.If you have the program Wine installed in your system, and you use it to run <code>.exe</code> Windows executables.Scanning these files are crucial.
			2.If you have a window based system on your network or a windows partition on your system, you may want to consider an antivirus.

	===Ransomware Removal & Recovery===		===Ransomware Removal & Recovery===

Fislam: /* Ransomware Removal & Recovery */

2017-06-10T17:38:52Z

Ransomware Removal & Recovery

← Older revision		Revision as of 20:38, 10 June 2017
Line 38:		Line 38:
	2.Please follow the github tutorial		2.Please follow the github tutorial

	There is also project https://www.nomoreransom.org with over 40 decryption tools. This project was originally started by DNP,Intel,Kasperky and Europol. Although chances of recovering your files aren't that high, it is still a great initiative to not pay the hackers.		There is also a project https://www.nomoreransom.org with over 40 decryption tools. This project was originally started by DNP,Intel,Kasperky and Europol. Although chances of recovering your files aren't that high, it is still a great initiative to not pay the hackers.

	===Safest Linux Distros===		===Safest Linux Distros===

Fislam: /* SubGraph OS */

2017-06-10T17:37:30Z

SubGraph OS

← Older revision		Revision as of 20:37, 10 June 2017
Line 43:		Line 43:
	====SubGraph OS====		====SubGraph OS====
	Subgraph OS is based on Debian. It is very heavily protected and is ideal for the truly paranoid. It comes with the following features:		Subgraph OS is based on Debian. It is very heavily protected and is ideal for the truly paranoid. It comes with the following features:

	1.Mandatory Full Disk Encryption: Users have no choice but encrypt the entire disk. Subgraph uses shadow encryption, as a result data is protected even if you lose your hard drive or if it fall's into the wrong hands. In other words, your data will not be lost.		1.Mandatory Full Disk Encryption: Users have no choice but encrypt the entire disk. Subgraph uses shadow encryption, as a result data is protected even if you lose your hard drive or if it fall's into the wrong hands. In other words, your data will not be lost.

Fislam at 17:36, 10 June 2017

2017-06-10T17:36:54Z

← Older revision		Revision as of 20:36, 10 June 2017
Line 9:		Line 9:
	Ransomware is very common on Windows, and there are several ways in which a machine can be affected, the most common is through phising. However, in Linux it works a bit differently. On Linux based systems ransomwares target the web server, as the vast majority of Linux users are server users. The functionalities of a Linux ransomware is very similar to Windows ransomware, but one major difference is Linux requires executable permission before executing, but Windows does not. This makes it harder to exploit Linux based systems.		Ransomware is very common on Windows, and there are several ways in which a machine can be affected, the most common is through phising. However, in Linux it works a bit differently. On Linux based systems ransomwares target the web server, as the vast majority of Linux users are server users. The functionalities of a Linux ransomware is very similar to Windows ransomware, but one major difference is Linux requires executable permission before executing, but Windows does not. This makes it harder to exploit Linux based systems.

			==Popular Ransomwares==
	===Linux.Encoder.1===		===Linux.Encoder.1===
	The existence of linux ransomwares weren't discovered until a couple of years ago. Dr.Web Antivirus detected a certain ransomware that attacked linux based systems. This ransomware was known as Linux.Encoder.1. This ransomware didn't just target any file/folder, it targeted the files & folders associated with the web server, this is usually wherever the document root of the web server is located, but it is not limited to it.The ransomware gets root access to system, and it downloads the files with the hackers demands along with a file that has a path to a public RSA (encryption algortighm) key. After that the malicious program starts as a daemon and deletes the original files. Afterwards, the RSA key is used to store AES (Advanced Encryption Standard) keys, which is used by the malicious program to encrypt files on the infected computer.The Linux.Encoder.1 starts by encrypting all the directories in the web server root. The hackers usually specify a string name for file extensions, or a pattern. The ransomware only encrypts the files that meet that criteria. Some common file extensions that are encrypted include <code>.tar.gz , .jpg, .apk, .pub, .mp4, .html</code> . The following directories are commonly encrypted <code>/home, /root, /var/lib/mysql, /etc/nginx, /var/www</code>. The following are not encrypted <code> /, ssh, /usr/bin, /bin, /etc/ssh</code>		The existence of linux ransomwares weren't discovered until a couple of years ago. Dr.Web Antivirus detected a certain ransomware that attacked linux based systems. This ransomware was known as Linux.Encoder.1. This ransomware didn't just target any file/folder, it targeted the files & folders associated with the web server, this is usually wherever the document root of the web server is located, but it is not limited to it.The ransomware gets root access to system, and it downloads the files with the hackers demands along with a file that has a path to a public RSA (encryption algortighm) key. After that the malicious program starts as a daemon and deletes the original files. Afterwards, the RSA key is used to store AES (Advanced Encryption Standard) keys, which is used by the malicious program to encrypt files on the infected computer.The Linux.Encoder.1 starts by encrypting all the directories in the web server root. The hackers usually specify a string name for file extensions, or a pattern. The ransomware only encrypts the files that meet that criteria. Some common file extensions that are encrypted include <code>.tar.gz , .jpg, .apk, .pub, .mp4, .html</code> . The following directories are commonly encrypted <code>/home, /root, /var/lib/mysql, /etc/nginx, /var/www</code>. The following are not encrypted <code> /, ssh, /usr/bin, /bin, /etc/ssh</code>

	~~==Popular Ransomwares==~~
	===Killdisk===		===Killdisk===
	Killdisk is another ransomware on linux, which does not decrypt. According to ESET security experts, the linux version of Killdisk does not save the encryption keys or communicate with command and control. Bottom line, even if someone pays the ransom, there is no actual chance of restoring their files. Killdisk uses a 3D AES with 64 bit crypto keys applied in 4kb blocks. The key is also unique for every file. Killdisk also makes the system unbootable, and modifies the bootloader completely. Killdisk is also known to have demanded exorbitant prices for decryption, even though it does not decrypt.		Killdisk is another ransomware on linux, which does not decrypt. According to ESET security experts, the linux version of Killdisk does not save the encryption keys or communicate with command and control. Bottom line, even if someone pays the ransom, there is no actual chance of restoring their files. Killdisk uses a 3D AES with 64 bit crypto keys applied in 4kb blocks. The key is also unique for every file. Killdisk also makes the system unbootable, and modifies the bootloader completely. Killdisk is also known to have demanded exorbitant prices for decryption, even though it does not decrypt.

			==Safe Practices==
	===Prevention===		===Prevention===
	Ransomware is usually found in emails and suspicious websites, but it definitely to limited to it. Every user should exercise caution and certain preventive steps should be taken. The following steps shall greatly reduces the chances of being infected with a ransomware.		Ransomware is usually found in emails and suspicious websites, but it definitely to limited to it. Every user should exercise caution and certain preventive steps should be taken. The following steps shall greatly reduces the chances of being infected with a ransomware.
Line 40:		Line 41:

	===Safest Linux Distros===		===Safest Linux Distros===
	SubGraph OS: Subgraph is based Debian. It is very heavily protected and is ideal for the truly paranoid. It comes with the following features:		====SubGraph OS====
			Subgraph OS is based on Debian. It is very heavily protected and is ideal for the truly paranoid. It comes with the following features:
	1.Mandatory Full Disk Encryption: Users have no choice but encrypt the entire disk. Subgraph uses shadow encryption, as a result data is protected even if you lose your hard drive or if it fall's into the wrong hands. In other words, your data will not be lost.		1.Mandatory Full Disk Encryption: Users have no choice but encrypt the entire disk. Subgraph uses shadow encryption, as a result data is protected even if you lose your hard drive or if it fall's into the wrong hands. In other words, your data will not be lost.

Line 54:		Line 56:
	Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected. Oz makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.		Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected. Oz makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.

	===Conclusion===		==Conclusion==
	Although most ransomwares are meant for Windows, that doesn't mean you are hundred percent safe of Linux. As discussed earlier, a user's best weapon to fight against a ransomware is Backup. If a user follows all the preventive steps they will be far more safer than os OSX or Windows. Furthermore, by using security hardened distro like Subgraph OS, the user will be far more safe than something like Ubuntu. At the end of the day, no system is invulnerable, now matter how secure it is. It is important to not give up, and almost never pay the ransom. Alternative movements like The No More RansomWare Project is great initiative, and has the potential greatly minimize the risk of ransomwares. Last but not least, the usage of a firewall is paramount to preventing ransomwares.		Although most ransomwares are meant for Windows, that doesn't mean you are hundred percent safe of Linux. As discussed earlier, a user's best weapon to fight against a ransomware is Backup. If a user follows all the preventive steps they will be far more safer than os OSX or Windows. Furthermore, by using security hardened distro like Subgraph OS, the user will be far more safe than something like Ubuntu. At the end of the day, no system is invulnerable, now matter how secure it is. It is important to not give up, and almost never pay the ransom. Alternative movements like The No More RansomWare Project is great initiative, and has the potential greatly minimize the risk of ransomwares. Last but not least, the usage of a firewall is paramount to preventing ransomwares.

Fislam: /* Ransomware in Linux */

2017-06-10T17:32:44Z

Ransomware in Linux

← Older revision		Revision as of 20:32, 10 June 2017
Line 12:		Line 12:
	The existence of linux ransomwares weren't discovered until a couple of years ago. Dr.Web Antivirus detected a certain ransomware that attacked linux based systems. This ransomware was known as Linux.Encoder.1. This ransomware didn't just target any file/folder, it targeted the files & folders associated with the web server, this is usually wherever the document root of the web server is located, but it is not limited to it.The ransomware gets root access to system, and it downloads the files with the hackers demands along with a file that has a path to a public RSA (encryption algortighm) key. After that the malicious program starts as a daemon and deletes the original files. Afterwards, the RSA key is used to store AES (Advanced Encryption Standard) keys, which is used by the malicious program to encrypt files on the infected computer.The Linux.Encoder.1 starts by encrypting all the directories in the web server root. The hackers usually specify a string name for file extensions, or a pattern. The ransomware only encrypts the files that meet that criteria. Some common file extensions that are encrypted include <code>.tar.gz , .jpg, .apk, .pub, .mp4, .html</code> . The following directories are commonly encrypted <code>/home, /root, /var/lib/mysql, /etc/nginx, /var/www</code>. The following are not encrypted <code> /, ssh, /usr/bin, /bin, /etc/ssh</code>		The existence of linux ransomwares weren't discovered until a couple of years ago. Dr.Web Antivirus detected a certain ransomware that attacked linux based systems. This ransomware was known as Linux.Encoder.1. This ransomware didn't just target any file/folder, it targeted the files & folders associated with the web server, this is usually wherever the document root of the web server is located, but it is not limited to it.The ransomware gets root access to system, and it downloads the files with the hackers demands along with a file that has a path to a public RSA (encryption algortighm) key. After that the malicious program starts as a daemon and deletes the original files. Afterwards, the RSA key is used to store AES (Advanced Encryption Standard) keys, which is used by the malicious program to encrypt files on the infected computer.The Linux.Encoder.1 starts by encrypting all the directories in the web server root. The hackers usually specify a string name for file extensions, or a pattern. The ransomware only encrypts the files that meet that criteria. Some common file extensions that are encrypted include <code>.tar.gz , .jpg, .apk, .pub, .mp4, .html</code> . The following directories are commonly encrypted <code>/home, /root, /var/lib/mysql, /etc/nginx, /var/www</code>. The following are not encrypted <code> /, ssh, /usr/bin, /bin, /etc/ssh</code>

			==Popular Ransomwares==
	===Killdisk===		===Killdisk===
	Killdisk is another ransomware on linux, which does not decrypt. According to ESET security experts, the linux version of Killdisk does not save the encryption keys or communicate with command and control. Bottom line, even if someone pays the ransom, there is no actual chance of restoring their files. Killdisk uses a 3D AES with 64 bit crypto keys applied in 4kb blocks. The key is also unique for every file. Killdisk also makes the system unbootable, and modifies the bootloader completely. Killdisk is also known to have demanded exorbitant prices for decryption, even though it does not decrypt.		Killdisk is another ransomware on linux, which does not decrypt. According to ESET security experts, the linux version of Killdisk does not save the encryption keys or communicate with command and control. Bottom line, even if someone pays the ransom, there is no actual chance of restoring their files. Killdisk uses a 3D AES with 64 bit crypto keys applied in 4kb blocks. The key is also unique for every file. Killdisk also makes the system unbootable, and modifies the bootloader completely. Killdisk is also known to have demanded exorbitant prices for decryption, even though it does not decrypt.

Fislam: /* Linux.Encoder.1 */

2017-06-10T17:32:04Z

Linux.Encoder.1

← Older revision		Revision as of 20:32, 10 June 2017
Line 10:		Line 10:

	===Linux.Encoder.1===		===Linux.Encoder.1===
	The existence of linux ransomwares weren't discovered until a couple of years ago. Dr.Web Antivirus detected a certain ransomware that attacked linux based systems. This ransomware was known as Linux.Encoder.1. This ransomware didn't just target any file/folder, it targeted the files & folders associated with the web server, this is usually wherever the document root of the web server is located, but it is not limited to it.The ransomware gets root access to system, and it downloads the files with the hackers demands along with a file that has a path to a public RSA (encryption algortighm) key. After that the malicious program starts as a daemon and deletes the original files. Afterwards, the RSA key is used to store AES (Advanced Encryption Standard) keys, which is used by the malicious program to encrypt files on the infected computer.The Linux.Encoder.1 starts by encrypting all the directories in the web server root. The hackers usually specify a string name for file extensions, or a pattern. The ransomware only encrypts the files that meet that criteria. Some common file extensions that are encrypted include <code>.tar.gz , .jpg, .apk, .pub, .mp4, .html</code> . The following directories are commonly encrypted <code>/home, /root, /var/lib/mysql, /etc/nginx, /var/www</code>. The following are not encrypted <code>./, ssh, /usr/bin, /bin, /etc/ssh</code>		The existence of linux ransomwares weren't discovered until a couple of years ago. Dr.Web Antivirus detected a certain ransomware that attacked linux based systems. This ransomware was known as Linux.Encoder.1. This ransomware didn't just target any file/folder, it targeted the files & folders associated with the web server, this is usually wherever the document root of the web server is located, but it is not limited to it.The ransomware gets root access to system, and it downloads the files with the hackers demands along with a file that has a path to a public RSA (encryption algortighm) key. After that the malicious program starts as a daemon and deletes the original files. Afterwards, the RSA key is used to store AES (Advanced Encryption Standard) keys, which is used by the malicious program to encrypt files on the infected computer.The Linux.Encoder.1 starts by encrypting all the directories in the web server root. The hackers usually specify a string name for file extensions, or a pattern. The ransomware only encrypts the files that meet that criteria. Some common file extensions that are encrypted include <code>.tar.gz , .jpg, .apk, .pub, .mp4, .html</code> . The following directories are commonly encrypted <code>/home, /root, /var/lib/mysql, /etc/nginx, /var/www</code>. The following are not encrypted <code> /, ssh, /usr/bin, /bin, /etc/ssh</code>

	===Killdisk===		===Killdisk===

Fislam: /* Ransomware in Linux */

2017-06-10T17:31:03Z

Ransomware in Linux

← Older revision		Revision as of 20:31, 10 June 2017
Line 5:		Line 5:
	===What is a Ransomware?===		===What is a Ransomware?===
	Ransomware is a very dangerous malware. It restricts users from accessing their system by either locking the system's screen or locking the user's files till the random is paid. Modern day ransomwares are categorized as Crypto Ransomware, which works by encrypting certain files and forces the user to pay online usually using a crypto currency. After the ransom is paid, the user gets a decryption key, and is able to use that to unlock the system.		Ransomware is a very dangerous malware. It restricts users from accessing their system by either locking the system's screen or locking the user's files till the random is paid. Modern day ransomwares are categorized as Crypto Ransomware, which works by encrypting certain files and forces the user to pay online usually using a crypto currency. After the ransom is paid, the user gets a decryption key, and is able to use that to unlock the system.

			===How Common is Ransomware in Linux?===
			Ransomware is very common on Windows, and there are several ways in which a machine can be affected, the most common is through phising. However, in Linux it works a bit differently. On Linux based systems ransomwares target the web server, as the vast majority of Linux users are server users. The functionalities of a Linux ransomware is very similar to Windows ransomware, but one major difference is Linux requires executable permission before executing, but Windows does not. This makes it harder to exploit Linux based systems.

	===Linux.Encoder.1===		===Linux.Encoder.1===

Fislam: /* Ransomware in Linux */

2017-06-10T17:21:57Z

Ransomware in Linux

← Older revision		Revision as of 20:21, 10 June 2017
Line 19:		Line 19:
	2. Use a Firewall: The uncomplicated firewall on linux is a very basic option,but if configured properly it should do the trick. Usually it's a good idea to block the countries that are infamous for ransomware, namely the domains <code>.cn, .ru, .ro, .in </code> Limiting traffic to ports that are used by you, not more than that. A regular user should allow HTTP port 80, HTTPS port 443 and maybe SSH port 22 if they need it.		2. Use a Firewall: The uncomplicated firewall on linux is a very basic option,but if configured properly it should do the trick. Usually it's a good idea to block the countries that are infamous for ransomware, namely the domains <code>.cn, .ru, .ro, .in </code> Limiting traffic to ports that are used by you, not more than that. A regular user should allow HTTP port 80, HTTPS port 443 and maybe SSH port 22 if they need it.

	3.Use a vulnerability scanner like to ensure that your system is monitored against threats. There is no surefire way to know your system is vulnerable without using a vulnerability scanner. nMap is a basic tool to do this and is available on all linux distros. There is an extensive tutorial on how to use ~~namp~~ to scan for vulnerability over at [https://blog.michaelfmcnamara.com/2017/05/how-to-scan-for-machines-vulnerable-to-wannacrypt-wannacry-ransomware/].		3.Use a vulnerability scanner like to ensure that your system is monitored against threats. There is no surefire way to know your system is vulnerable without using a vulnerability scanner. nMap is a basic tool to do this and is available on all linux distros. There is an extensive tutorial on how to use nmap to scan for vulnerability over at [https://blog.michaelfmcnamara.com/2017/05/how-to-scan-for-machines-vulnerable-to-wannacrypt-wannacry-ransomware/].

	4. Filter executable files in emails : It is not usual to receive an email with an executable file. It would be wise to block at least the following extension types when received as an email attachment <code>.exe, .dll, .bat </code>. Also it is wise to scan a compressed file type before opening it.		4. Filter executable files in emails : It is not usual to receive an email with an executable file. It would be wise to block at least the following extension types when received as an email attachment <code>.exe, .dll, .bat </code>. Also it is wise to scan a compressed file type before opening it.