Linux ransomware
Written by: Farhan Islam-C11 Group
Ransomware in Linux
What is Ransomware?
Ransomware is a very dangerous malware. It restricts users from accessing their system by either locking the system's screen or locking the user's files till the random is paid. Modern day ransomwares are categorized as Crypto Ransomware, which works by encrypting certain files and forces the user to pay online usually using a crypto currency. After the ransom is paid, the user gets a decryption key, and is able to use that to unlock the system.
Linux.Encoder.1
The existence of linux ransomwares weren't discovered until a couple of years ago. Dr.Web Antivirus detected a certain ransomware that attacked linux based systems. This ransomware was known as Linux.Encoder.1. This ransomware didn't just target any file/folder, it targeted the files & folders associated with the web server, this is usually wherever the document root of the web server is located, but it is not limited to it.The ransomware gets root access to system, and it downloads the files with the hackers demands along with a file that has a path to a public RSA (encryption algortighm) key. After that the malicious program starts as a daemon and deletes the original files. Afterwards, the RSA key is used to store AES (Advanced Encryption Standard) keys, which is used by the malicious program to encrypt files on the infected computer.The Linux.Encoder.1 starts by encrypting all the directories in the web server root. The hackers usually specify a string name for file extensions, or a pattern. The ransomware only encrypts the files that meet that criteria. Some common file extensions that are encrypted include .tar.gz , .jpg, .apk, .pub, .mp4, .html
. The following directories are commonly encrypted /home, /root, /var/lib/mysql, /etc/nginx, /var/www
. The following are not encrypted ./, ssh, /usr/bin, /bin, /etc/ssh
Killdisk
Killdisk is another ransomware on linux, which does not decrypt. According to ESET security experts, the linux version of Killdisk does not save the encryption keys or communicate with command and control. Bottom line, even if someone pays the ransom, there is no actual chance of restoring their files. Killdisk uses a 3D AES with 64 bit crypto keys applied in 4kb blocks. The key is also unique for every file. Killdisk also makes the system unbootable, and modifies the bootloader completely. Killdisk is also known to have demanded exorbitant prices for decryption, even though it does not decrypt.
Prevention
Ransomware is usually found in emails and suspicious websites, but it definitely to limited to it. Every user should exercise caution and certain preventive steps should be taken. The following steps shall greatly reduces the chances of being infected with a ransomware.
1.Backup: Backup everything you need, from your databases to important documents. Keep in mind that you have proper backups in multiple location, a ransomware cannot harm you that much. So make a habit of backing up data regularly. This could be done on a USB drive, cloud based storage, etc.
2. Use a Firewall: The uncomplicated firewall on linux is a very basic option,but if configured properly it should do the trick. Usually it's a good idea to block the countries that are infamous for ransomware, namely the domains .cn, .ru, .ro, .in
Limiting traffic to ports that are used by you, not more than that. A regular user should allow HTTP port 80, HTTPS port 443 and maybe SSH port 22 if they need it.
3.Use a vulnerability scanner like to ensure that your system is monitored against threats. There is no surefire way to know your system is vulnerable without using a vulnerability scanner. nMap is a basic tool to do this and is available on all linux distros. There is an extensie tutorial on how to use namp to scan for vulnerability over at [1].
4. Filter executable files in emails : It is not usual to receive an email with an executable file. It would be wise to block at least the following extension types when received as an email attachment .exe, .dll, .bat
. Also it is wise to scan a compressed file type before opening it.
5. Software Update: This should go without saying. It is vital to update the system with security updates at all times. In case of linux sudo apt-get upgrade
. Also make sure to update the antivirus definition files as soon as they are available.
6. Disable Remote Desktop: Ransomwares regularly target remote desktop environment. If you do not require RDP, block it with a firewall.
Ransomware Removal & Recovery
Certain ransomwares like killdisk on linux still cannot be decrypted. Fortunately Linux.Encoder.1 can be removed. BitDefender has a script to take on the Linux.Encoder.1. This script is available at https://github.com/eugenekolo/linux-ransomware-decrypter . Although the tutorials are on github, there is one vital information that is missing there in case your bootloader was encrypted.
1.Boot into the infected server. If bootloader is locked try booting with live usb stick. Mount the infected partion using mount /dev/xxxx
2.Please follow the github tutorial
There is also project https://www.nomoreransom.org with over 40 decryption tools. This project was originally started by DNP,Intel,Kasperky and Europol. Although chances of recovering your files aren't that high, it is still a great initiative to not pay the hackers.
Safest Linux Distros
SubGraph OS: Subgraph is based Debian. It is very heavily protected and is ideal for the truly paranoid. It comes with the following features: 1.Mandatory Full Disk Encryption: Users have no choice but encrypt the entire disk. Subgraph uses shadow encryption, as a result data is protected even if you lose your hard drive or if it fall's into the wrong hands. In other words, your data will not be lost.
2.Online Anonymity: Subgraph routes all your traffic through TOR anonymity network by default, making it difficult for attackers to figure out the actual physical location of their targets. This would ensure the endpoint security.
3.Advanced Proxy Settings: Communications to outside world is carried out by Metaproxy, and it identifies legitimate connections.
4.Kernel Security: Subgraph OS is also hardened by Grsecurity – a set of patches that are designed to make Linux kernel's security vulnerabilities like memory corruption flaws far more difficult to exploit.
5.Oz: Oz is a system for isolating programs so that if an attacker exploits an application security vulnerability, the rest of your machine and your network will remain largely unaffected. Oz makes this possible by delimiting the permission applications have to other parts of the computer, so that when an attacker compromises the security hole in any application it does not allow any malicious activities to take place.