Cyberattackers Now Also Make Linux Versions of Their Ransomware (zdnet.com) 77
"Security firm Kaspersky said Friday that it discovered a Linux version of the RansomEXX ransomware," reports ZDNet, "marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions."
RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June. The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, U.S. government contractor Tyler Technologies, Montreal's public transportation system, and, most recently, against Brazil's court system (STJ)...
The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with many firms running internal systems on Linux, and not always on Windows Server. A Linux version makes perfect sense from an attacker's perspective; always looking to expand and touch as much core infrastructure as possible in their quest to cripple companies and demand higher ransoms. What we see from RansomEXX may soon turn out to be an industry-defining trend, with other big ransomware groups rolling out their Linux versions in the future as well.
And, this trend appears to have already begun. According to cyber-security firm Emsisoft, besides RansomEXX, the Mespinoza (Pysa) ransomware gang has also recently developed a Linux variant from their initial Windows version.
The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with many firms running internal systems on Linux, and not always on Windows Server. A Linux version makes perfect sense from an attacker's perspective; always looking to expand and touch as much core infrastructure as possible in their quest to cripple companies and demand higher ransoms. What we see from RansomEXX may soon turn out to be an industry-defining trend, with other big ransomware groups rolling out their Linux versions in the future as well.
And, this trend appears to have already begun. According to cyber-security firm Emsisoft, besides RansomEXX, the Mespinoza (Pysa) ransomware gang has also recently developed a Linux variant from their initial Windows version.
Freedom! (Score:5, Funny)
Isn't it wonderful how even hackers are embracing OSS?
Re:Freedom! (Score:5, Funny)
I'm excited about this news! I've been trying to get them to run under WINE with limited success. Good to know that I'll be able to run them natively.
Re: (Score:2)
LOL look at this person, everyone. He couldn't even get this stupidly-simply Windows Malware working on his Linux box, when it's as simple as setting LD_PRELOAD_C $%^&*(#(*#$*$8
NO CARRIER
Easy solution (Score:1)
Re: (Score:2)
how is this credible threat? (Score:4, Interesting)
The executable to install this malware has to be run by user. If a person runs attachmen to email (like an idiot) or makes "update" to their OS or program with infected file (like an idiot) then yes they'll get this thing.
Seems easily avoidable to me, except by goddamn idiots.
Re: how is this credible threat? (Score:3)
Re: (Score:2)
Intelligence has to be applied to be useful. Many people do not have the skill or the will for that, even if intelligence is available to them. This is not the only situation where that becomes very clear.
This is a payload, not a vulnerability or exploit (Score:5, Interesting)
Like all payloads, this one requires that *someone* or *something* execute it.
It might be executed directly by attackers after they have established access to the network, as this particular one often is.
More typically a payload a payload is executed by a "dropper", a small piece of attacker-controlled code that doesn't do anything harmful itself, so it's harder to detect. All the dropper does is download and run whichever payload(s) the attacker chose.
The dropper is executed by an "exploit". An exploit might be an Excel exploit triggered when a user opens an infected file, it might be a Remote Desktop exploit that doesn't involve any interaction with the user.
In order for the attacker to do an exploit, the targeted system must have a "vulnerability", something that lets attackers run code or get it code run, such as by a user or by a web site script.
Re:how is this credible threat? (Score:5, Funny)
These days all the cool kids are doing
curl *aweomse software* | sudo bash
Re:how is this credible threat? (Score:4, Insightful)
Re: (Score:2)
I would conjecture that the supply of idiots in the Linux community is not only vast, but growing. There are some indicators that Linux is losing its edge because too many people think moving to Linux is a valid substitute for actual insight. This does affect the development side as well, unfortunately.
Re: (Score:2)
Re: (Score:2)
Seems easily avoidable to me, except by goddamn idiots.
Yes. But the prevalence of "goddamn idiots" in the human race is high. Hence better technical protections are urgently needed, as are real penalties for organizations and their leadership that do not fix their IT security.
Re: (Score:2)
Re: (Score:2)
So, if it's run by the user, it can only garbage up files owned by the user, right?
I guess there are a few idiots out there who would run it via sudo, but probably not many, and they will certainly get what they deserve.
If I were to somehow get screwed over by this, I'd just login as root, delete /home/$USER, and reload from my daily backup. This really isn't rocket science folks.
What a joke (Score:5, Informative)
It is ridiculous that the *first* thing out of the gate isn't instructions on how to detect the trojan.
This is literally all you get
https://opentip.kaspersky.com/... [kaspersky.com]
Fuck these guys; they're as bad as ransomware assholes. They just want your money.
Re: What a joke (Score:2)
Re: What a joke (Score:4, Insightful)
It can't do anything unless it is actually run.
Re: What a joke (Score:5, Informative)
It can't do anything unless it is actually run.
Not a problem under Linux:
1) Click on the email file. Oops, Linux doesn't have stupid email programs that allow you to run a program attached to an email. No problem! Click on the attachment, then Save As to the hard drive.
2) Open up a file manager, navigate to where the file is saved, then click on it. Oops, one of two things just happened:
2a) It's a shell script, so it won't run with a mouse click. No problem! Just drop to a shell, then type, "bash [malware file]" to run it. Done. Easy peasy. Any idiot would know what to do!
2b) It's an executable, and won't run since Linux doesn't have brain dead email programs that allow email attachments to run. No Problem! Click on Properties, Permissions, Executable. Then click on the file to run it.
3) Let the infection begin. Of course, at this point, it's really hard to call it an "infection". Given all the manual steps involved, it's really more along the lines of a user determined to run the program. It's no more an "infection" than starting up any other program. The term, "infection" really implies some form of automation (see below).
Contrast this to Windows: download the email and let the infection begin.
Re: (Score:1)
don't forget to chmod +x it too.
Re: (Score:2)
No need, if all you do is "bash [script file]" or ". [script file]" or "exec [script file]".
Re: (Score:2)
Windows is the same, most popular email clients, especially Outlook and web browsers, make it
Re: (Score:2)
Most email apps and servers don't even let you receive executables. Outlook doesn't let you open them by default.
The infection vector is the office applications that open attached documents. There is no reason they can't target LibreOffice or even popular text editors (Unicode did a terrible job), image viewers, PDF viewers etc.
Re: (Score:2)
I didn't know Unicode was Turing complete and had access to OS APIs...
What will they do? Display emojis with äccents in non-closed RTL-layout?
Re: (Score:3)
Nah, just cause a stack overflow and execute native code. One of the many benefits of variable length characters.
Re: (Score:2)
If you offer someone a reasonable reward, they would do it.
But it's not hard in reality. SHAR is a common format (shell archive, basically a self-extracting tarball), and all you have to do it is type "sh virus.shar". at a command line.
All you have to do is offer free pr0n or other thing and everyone becomes obedient little puppets.
Proof? I remember when jailbreaking iOS required using ssh and other tools. Far too many instructions had people using PuTTY and such and not changing the default password. It en
Re: (Score:2)
It can't do anything unless it is actually run.
Not a problem under Linux:
Yup. One that comes to mind:
Target attack on a user that runs a repository for a program that they create. Insert an infected version of a commonly used app.
Some users will catch it (as they'll have a guard in software source location), but many will not pay attention to the location that their Firefox is being installed from.
Re: (Score:2)
I tried to look at the link but it wants me to solve a captcha just to read it. Fuck off.
Re: (Score:2)
Yep. Massive problem filling out a captcha, slows you down when posting your racist content.
Finally you admit it.
Re: (Score:2)
That's it, I'm going back to OS/2 (Score:3)
Re: (Score:2)
Re: (Score:2)
Sure it can. In Germany, we had BTX [wikipedia.org] before the Internet. Think BBS with teletext looks.
We did online banking over it, and all you needed was a modem.
But I'm sure a simple FinTS client for the C64 would be possible too.
Re: (Score:2)
Sure, cause everyone who isn't black-eyed enough to install kernel patches written literally by the NSA, must be a conspiracy theorist --.--
We're not all Americans, mate.
And no, nobody you know well enough to trust, has read all that code and verified it for underhanded backdoors. See: OpenSSL.
I think you mean a RBAC system. Which is the generic term.
Ignore the above. Replied to the wrong comment. (Score:2)
Whoops
Re: (Score:3)
Re: (Score:2)
The Amiga was downright plagued with viruses.
I would think there would be viruses for OS/2 as well, because it's still used on many ATMs.
Re: (Score:2)
Surprised it took this long (Score:2)
Re: (Score:2)
The year of the Linux desktop (Score:3)
It's finally upon us!
SELinux (Score:2, Funny)
If you aren't using SELinux for a server and disabling the root account then you just aren't doing your job of securing the server. These two simple things would make ransomware exceptionally difficult to implement.
Re: (Score:2)
Sure, cause everyone who isn't black-eyed enough to install kernel patches written literally by the NSA, must be a conspiracy theorist --.--
We're not all Americans, mate.
And no, nobody you know well enough to trust, has read all that code and verified it for underhanded backdoors. See: OpenSSL.
I think you mean a RBAC system. Which is the generic term.
- - - -
"This exact comment has already been posted." Yeah, because Slashdot focused the wrong textarea field when I typed it before, leading me to reply no my
Re: (Score:2)
That is BS. SELinux is an access control layer. It is easy to find back-doors in there and countless people will have tried by now.
Re: (Score:2)
Both things are not always possible and sometimes exceptionally difficult.
I hope they use Agile (Score:3)
And scrums. And stand-ups: "Today I implemented feature x to royally screw Linux distribution abc. Tomorrow I will port it to Linux distribution xyz. No blockers". Otherwise, they are going to run into trouble maintaining such codebases.
Yes, as the Brits say, I am taking the mickey out Agile.
Re: (Score:2)
Can you translate that cockney rhyming slang for us?, ol chap?
Sincerely,
Mr. Mouse [youtube.com]
OK I scanned the article (Score:3)
Re: (Score:1)
Re: (Score:2)
Probably firing employees who then go on to write that ransomware. :)
Or attacking people who then retaliate with trojans.
Or leaking trojans that then become modified as ransomware.
Sincerely,
somebody with friends who know friends who work at the Mossad
Re: (Score:3)
Those hardened Linux servers are typically used for important assets within a corporation... However, most of these corporations also have a standard desktop which everyone is forced to use. This standard desktop will usually be windows, and usually joined to a centralised domain.
The people who are responsible for managing the important linux systems will also be forced to use these windows desktops to manage them, so while the linux servers on their own may be hardened in reality they are only as strong as
Re: (Score:1)
This.
You don't need an exploit to get into the server, you just need to grab the credentials of the server on the less secure machine from which it is managed.
Re: (Score:2)
you just need to grab the credentials of the server on the less secure machine
What sys admin in their right mind uses a Windows domain controller to handle access to their Linux servers? One might use a Linux system as a domain controller for desktops. But not to control access back to that server itself.
And if you do run a part of the Windows ecosystem on a Linux box, don't run it as root.
Re: (Score:2)
you just need to grab the credentials of the server on the less secure machine
What sys admin in their right mind uses a Windows domain controller to handle access to their Linux servers? One might use a Linux system as a domain controller for desktops. But not to control access back to that server itself.
And if you do run a part of the Windows ecosystem on a Linux box, don't run it as root.
Ones hired by CTOs that know Windows. Or that have a standard desktop policy. Chances are that the ssh credentials are cached in putty anyway...
Re: (Score:2)
Regarding centralized password management:
Not in any sane implementation. Such systems only store the hashes. Never the passwords or even pure hashes.
Re: (Score:2)
I'm guessing via the non-standard software installed on that server. I don't mean stuff like file servers or what have you, but 3rd party software. You can harden that server however you want, if you run Magento, Oracle, Jira et cetera, then that's your entry point. And if I read the article correctly, it's not that the hackers run the malware on the hardened server, it's just that they use the malware as a stepping stone on workstations, and then don't run the encryption bit so they can keep using it as a
no need (Score:1)
Ransomware on Linux? Let me laugh... (Score:1)
Oh, you were serious? Let me laugh even harder!
--Bender Rodriguez
Oh no, a luser got their files encrypted. Is that similar to lusers deleting their important work files with rm -f ? I might have to recover from backups.
--non-BOFH
Yay more linux ports! (Score:1)
um, hate to ask the obvious question, but... (Score:3)
what libraries were used to build this ransomware, and did the authors obey the licenses?
Is this ransomware under GPL2 or GPL3? (or do we need a new opensource license?)
Is the source on GitHub?
Is it implemented in my preferred Unix-ey way as a set of small programs that each do one thing VERY WELL, or is it a bit more like systemd?
[smile][ducks and runs for cover]
Finally (Score:2)
I had been stuck having to run windows just so I can get victimized by ransomware, with this and the porting of Calc.exe last month I can finally switch entirely to Linux.
This was bound to happen. (Score:2)
With Linux getting critical mass, this was bound to happen. The more prevalent a eco-system becomes, the more are going to be part of it and try to benefit from that. That goes for parasites aswell. The upside with Linux is, that I have my safety under my own control and not some bizarre decisions made by someone in some software megacorp.
Which "Linux"? (Score:3)
There is *quite* the difference between my custom ricer Gentoo server built from stage 1 (!) in the 2000s that has a ton of unusual modifications, and the Mint/Ubuntu/Debian/Snap/Flatpack/systemd Lovecraftian abomination on my laptop. And that's not even factoring in things like RBAC systems.
Less experienced people call it "fragmentation". I call it "healthy avoidance of monoculture".
Re: (Score:2)
There is *quite* the difference between my custom ricer Gentoo server built from stage 1 (!) in the 2000s that has a ton of unusual modifications, and the Mint/Ubuntu/Debian/Snap/Flatpack/systemd Lovecraftian abomination on my laptop. And that's not even factoring in things like RBAC systems.
Less experienced people call it "fragmentation". I call it "healthy avoidance of monoculture".
Likewise. My main box is Gentoo and I trust it; the laptops are Ubuntu and I just assume they'll be fucked by some sort of systemd bug when things get critical.
Windows ransomware ported to Linux? (Score:2)
Information Security (Score:1)
Linux is easier today (Score:1)
Time for non-x86/x64 hardware (Score:2)
Or is it interpreted?
If it is a binary then it has to target the most common arch. of x86/x64, and probably does not even consider ARM. So my Pinebook Pro, (an ARM64 laptop), is good to go as mitigation for that problem. (Of course, their more than likely are Linux on ARM/ARM64 attacks, but they are probably through Android or Apple iOS.)
Of course, assuming I do get hit, can they privilege escalate to "root"?
If not, then I am covered by a combination of;
- Home f
Backups (Score:1)
All of you have backups of your stuff, right? If not, take a few hundred bucks and get some external USB spindles. I've been rotating mine for over a decade. Backup stuff, move one to a safe or offsite and get the other one. Backup every week minimum, rotate every month.
It's great insurance even for bad disks. I've blew a 4 TB disk recently. Didn't lose much of anything. I had just done a backup. Ordered a new one, put it in, back in action!