Linux ransomware: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Fislam (talk | contribs)
Fislam (talk | contribs)
Line 16: Line 16:
Ransomware is usually found in emails and suspicious websites, but it definitely to limited to it. Every user should exercise caution and certain preventive steps should be taken. The following steps shall greatly reduces the chances of being infected with a ransomware.
Ransomware is usually found in emails and suspicious websites, but it definitely to limited to it. Every user should exercise caution and certain preventive steps should be taken. The following steps shall greatly reduces the chances of being infected with a ransomware.


1. Software Update: This should go without saying. It is vital to update the system with security updates at all times. In case of linux <code>sudo apt-get upgrade</code>. Also make sure to update the antivirus definition files as soon as they are available.
1.Backup: Backup everything you need, from your databases to important documents. Keep in mind that you have proper backups in multiple location, a ransomware cannot harm you that much. So make a habit of backing up data regularly. This could be done on a USB drive, cloud based storage, etc.


2. Use a Firewall: The uncomplicated firewall on linux is a very basic option,but if configured properly it should do the trick. Usually it's a good idea to block the countries that are infamous for ransomware, namely the domains <code>.cn, .ru, .ro, .in </code> Limiting traffic to ports that are used by you, not more than that. A regular user should allow HTTP port 80, HTTPS port 443 and maybe SSH port 22 if they need it.
2. Use a Firewall: The uncomplicated firewall on linux is a very basic option,but if configured properly it should do the trick. Usually it's a good idea to block the countries that are infamous for ransomware, namely the domains <code>.cn, .ru, .ro, .in </code> Limiting traffic to ports that are used by you, not more than that. A regular user should allow HTTP port 80, HTTPS port 443 and maybe SSH port 22 if they need it.
Line 22: Line 22:
3.Use a vulnerability scanner like to ensure that your system is monitored against threats. There is no surefire way to know your system is vulnerable without using a vulnerability scanner. nMap is a basic tool to do this and is available on all linux distros. There is an extensie tutorial on how to use namp to scan for vulnerability over at [https://blog.michaelfmcnamara.com/2017/05/how-to-scan-for-machines-vulnerable-to-wannacrypt-wannacry-ransomware/].
3.Use a vulnerability scanner like to ensure that your system is monitored against threats. There is no surefire way to know your system is vulnerable without using a vulnerability scanner. nMap is a basic tool to do this and is available on all linux distros. There is an extensie tutorial on how to use namp to scan for vulnerability over at [https://blog.michaelfmcnamara.com/2017/05/how-to-scan-for-machines-vulnerable-to-wannacrypt-wannacry-ransomware/].


4.Use strong passwords that can never be found in a hacker's word list.
4. Filter executable files in emails : It is not usual to receive an email with an executable file. It would be wise to block at least the following extension types when received as an email attachment <code>.exe, .dll, .bat </code>. Also it is wise to scan a compressed file type before opening it.


5.Consider the usage of a more secure linux distro
5. Software Update: This should go without saying. It is vital to update the system with security updates at all times. In case of linux <code>sudo apt-get upgrade</code>. Also make sure to update the antivirus definition files as soon as they are available.


6.Make multiple backups of your softwares, databases, important files,etc
6. Disable Remote Desktop: Ransomwares regularly target remote desktop environment. If you do not require RDP, block it with a firewall.
 
===Ransomware Removal===
Certain ransomwares like killdisk on linux still cannot be decrypted. Fortunately Linux.Encoder.1 can be removed. BitDefender has a script to take on the Linux.Encoder.1. This script is available at https://github.com/eugenekolo/linux-ransomware-decrypter

Revision as of 21:02, 9 June 2017

Written by: Farhan Islam-C11 Group

Ransomware in Linux

What is Ransomware?

Ransomware is a very dangerous malware. It restricts users from accessing their system by either locking the system's screen or locking the user's files till the random is paid. Modern day ransomwares are categorized as Crypto Ransomware, which works by encrypting certain files and forces the user to pay online usually using a crypto currency. After the ransom is paid, the user gets a decryption key, and is able to use that to unlock the system.

Linux.Encoder.1

The existence of linux ransomwares weren't discovered until a couple of years ago. Dr.Web Antivirus detected a certain ransomware that attacked linux based systems. This ransomware was known as Linux.Encoder.1. This ransomware didn't just target any file/folder, it targeted the files & folders associated with the web server, this is usually wherever the document root of the web server is located, but it is not limited to it.The ransomware gets root access to system, and it downloads the files with the hackers demands along with a file that has a path to a public RSA (encryption algortighm) key. After that the malicious program starts as a daemon and deletes the original files. Afterwards, the RSA key is used to store AES (Advanced Encryption Standard) keys, which is used by the malicious program to encrypt files on the infected computer.The Linux.Encoder.1 starts by encrypting all the directories in the web server root. The hackers usually specify a string name for file extensions, or a pattern. The ransomware only encrypts the files that meet that criteria. Some common file extensions that are encrypted include .tar.gz , .jpg, .apk, .pub, .mp4, .html . The following directories are commonly encrypted /home, /root, /var/lib/mysql, /etc/nginx, /var/www. The following are not encrypted ./, ssh, /usr/bin, /bin, /etc/ssh

Killdisk

Killdisk is another ransomware on linux, which does not decrypt. According to ESET security experts, the linux version of Killdisk does not save the encryption keys or communicate with command and control. Bottom line, even if someone pays the ransom, there is no actual chance of restoring their files. Killdisk uses a 3D AES with 64 bit crypto keys applied in 4kb blocks. The key is also unique for every file. Killdisk also makes the system unbootable, and modifies the bootloader completely. Killdisk is also known to have demanded exorbitant prices for decryption, even though it does not decrypt.


Prevention

Ransomware is usually found in emails and suspicious websites, but it definitely to limited to it. Every user should exercise caution and certain preventive steps should be taken. The following steps shall greatly reduces the chances of being infected with a ransomware.

1.Backup: Backup everything you need, from your databases to important documents. Keep in mind that you have proper backups in multiple location, a ransomware cannot harm you that much. So make a habit of backing up data regularly. This could be done on a USB drive, cloud based storage, etc.

2. Use a Firewall: The uncomplicated firewall on linux is a very basic option,but if configured properly it should do the trick. Usually it's a good idea to block the countries that are infamous for ransomware, namely the domains .cn, .ru, .ro, .in Limiting traffic to ports that are used by you, not more than that. A regular user should allow HTTP port 80, HTTPS port 443 and maybe SSH port 22 if they need it.

3.Use a vulnerability scanner like to ensure that your system is monitored against threats. There is no surefire way to know your system is vulnerable without using a vulnerability scanner. nMap is a basic tool to do this and is available on all linux distros. There is an extensie tutorial on how to use namp to scan for vulnerability over at [1].

4. Filter executable files in emails : It is not usual to receive an email with an executable file. It would be wise to block at least the following extension types when received as an email attachment .exe, .dll, .bat . Also it is wise to scan a compressed file type before opening it.

5. Software Update: This should go without saying. It is vital to update the system with security updates at all times. In case of linux sudo apt-get upgrade. Also make sure to update the antivirus definition files as soon as they are available.

6. Disable Remote Desktop: Ransomwares regularly target remote desktop environment. If you do not require RDP, block it with a firewall.

Ransomware Removal

Certain ransomwares like killdisk on linux still cannot be decrypted. Fortunately Linux.Encoder.1 can be removed. BitDefender has a script to take on the Linux.Encoder.1. This script is available at https://github.com/eugenekolo/linux-ransomware-decrypter