Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Linux

Cyberattackers Now Also Make Linux Versions of Their Ransomware (zdnet.com) 77

"Security firm Kaspersky said Friday that it discovered a Linux version of the RansomEXX ransomware," reports ZDNet, "marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions." RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June. The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, U.S. government contractor Tyler Technologies, Montreal's public transportation system, and, most recently, against Brazil's court system (STJ)...

The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with many firms running internal systems on Linux, and not always on Windows Server. A Linux version makes perfect sense from an attacker's perspective; always looking to expand and touch as much core infrastructure as possible in their quest to cripple companies and demand higher ransoms. What we see from RansomEXX may soon turn out to be an industry-defining trend, with other big ransomware groups rolling out their Linux versions in the future as well.

And, this trend appears to have already begun. According to cyber-security firm Emsisoft, besides RansomEXX, the Mespinoza (Pysa) ransomware gang has also recently developed a Linux variant from their initial Windows version.

This discussion has been archived. No new comments can be posted.

Cyberattackers Now Also Make Linux Versions of Their Ransomware

Comments Filter:
  • Freedom! (Score:5, Funny)

    by Tablizer ( 95088 ) on Saturday November 07, 2020 @07:36PM (#60697674) Journal

    Isn't it wonderful how even hackers are embracing OSS?

  • by Anonymous Coward
    Just don't install WINE on your servers.
  • by iggymanz ( 596061 ) on Saturday November 07, 2020 @07:45PM (#60697704)

    The executable to install this malware has to be run by user. If a person runs attachmen to email (like an idiot) or makes "update" to their OS or program with infected file (like an idiot) then yes they'll get this thing.

    Seems easily avoidable to me, except by goddamn idiots.

    • Never bet against stupid. Surprisingly, intelligence does not correlate with stupid.
      • by gweihir ( 88907 )

        Intelligence has to be applied to be useful. Many people do not have the skill or the will for that, even if intelligence is available to them. This is not the only situation where that becomes very clear.

    • by raymorris ( 2726007 ) on Saturday November 07, 2020 @08:30PM (#60697820) Journal

      Like all payloads, this one requires that *someone* or *something* execute it.

      It might be executed directly by attackers after they have established access to the network, as this particular one often is.

      More typically a payload a payload is executed by a "dropper", a small piece of attacker-controlled code that doesn't do anything harmful itself, so it's harder to detect. All the dropper does is download and run whichever payload(s) the attacker chose.

      The dropper is executed by an "exploit". An exploit might be an Excel exploit triggered when a user opens an infected file, it might be a Remote Desktop exploit that doesn't involve any interaction with the user.

      In order for the attacker to do an exploit, the targeted system must have a "vulnerability", something that lets attackers run code or get it code run, such as by a user or by a web site script.

    • by twistedcubic ( 577194 ) on Saturday November 07, 2020 @08:36PM (#60697830)

      These days all the cool kids are doing

      curl *aweomse software* | sudo bash

    • by bloodhawk ( 813939 ) on Saturday November 07, 2020 @09:04PM (#60697896)
      that is the attack vector for the vast majority of successful malware so the reality is people WILL run it. The supply of idiots is vast and plentiful even in the linux community.
      • by gweihir ( 88907 )

        I would conjecture that the supply of idiots in the Linux community is not only vast, but growing. There are some indicators that Linux is losing its edge because too many people think moving to Linux is a valid substitute for actual insight. This does affect the development side as well, unfortunately.

        • yep it is an unfortunate side effect of trying to bring more people in. The same idiots that can't safely run a Microsoft environment will fail just as badly in a Linux environment. There is no immunization against stupidity and the OS can only do so much to protect.
    • by gweihir ( 88907 )

      Seems easily avoidable to me, except by goddamn idiots.

      Yes. But the prevalence of "goddamn idiots" in the human race is high. Hence better technical protections are urgently needed, as are real penalties for organizations and their leadership that do not fix their IT security.

    • When you have a large company, it is likely that you have at least one idiot who will run it. Then the attacker has a foothold to attack with that users privileges, and can usually find a system to elevate those privileges. And now they can also use Linux as a platform. So, FreeBSD file servers for the win!
    • So, if it's run by the user, it can only garbage up files owned by the user, right?

      I guess there are a few idiots out there who would run it via sudo, but probably not many, and they will certainly get what they deserve.

      If I were to somehow get screwed over by this, I'd just login as root, delete /home/$USER, and reload from my daily backup. This really isn't rocket science folks.

  • What a joke (Score:5, Informative)

    by nyet ( 19118 ) on Saturday November 07, 2020 @07:45PM (#60697708) Homepage

    It is ridiculous that the *first* thing out of the gate isn't instructions on how to detect the trojan.

    This is literally all you get
    https://opentip.kaspersky.com/... [kaspersky.com]

    Fuck these guys; they're as bad as ransomware assholes. They just want your money.

    • Why would you need instructions on how to detect it when it encrypts your files and makes them unreadable? Is that not enough of a clue for you?
      • Re: What a joke (Score:4, Insightful)

        by nyet ( 19118 ) on Saturday November 07, 2020 @08:23PM (#60697808) Homepage

        It can't do anything unless it is actually run.

        • Re: What a joke (Score:5, Informative)

          by StormReaver ( 59959 ) on Saturday November 07, 2020 @10:04PM (#60698026)

          It can't do anything unless it is actually run.

          Not a problem under Linux:

          1) Click on the email file. Oops, Linux doesn't have stupid email programs that allow you to run a program attached to an email. No problem! Click on the attachment, then Save As to the hard drive.

          2) Open up a file manager, navigate to where the file is saved, then click on it. Oops, one of two things just happened:
          2a) It's a shell script, so it won't run with a mouse click. No problem! Just drop to a shell, then type, "bash [malware file]" to run it. Done. Easy peasy. Any idiot would know what to do!
          2b) It's an executable, and won't run since Linux doesn't have brain dead email programs that allow email attachments to run. No Problem! Click on Properties, Permissions, Executable. Then click on the file to run it.
          3) Let the infection begin. Of course, at this point, it's really hard to call it an "infection". Given all the manual steps involved, it's really more along the lines of a user determined to run the program. It's no more an "infection" than starting up any other program. The term, "infection" really implies some form of automation (see below).

          Contrast this to Windows: download the email and let the infection begin.

          • by nyet ( 19118 )

            don't forget to chmod +x it too.

          • by AmiMoJo ( 196126 )

            Windows is the same, most popular email clients, especially Outlook and web browsers, make it

          • by AmiMoJo ( 196126 )

            Most email apps and servers don't even let you receive executables. Outlook doesn't let you open them by default.

            The infection vector is the office applications that open attached documents. There is no reason they can't target LibreOffice or even popular text editors (Unicode did a terrible job), image viewers, PDF viewers etc.

            • I didn't know Unicode was Turing complete and had access to OS APIs...

              What will they do? Display emojis with äccents in non-closed RTL-layout?

              • by AmiMoJo ( 196126 )

                Nah, just cause a stack overflow and execute native code. One of the many benefits of variable length characters.

          • by tlhIngan ( 30335 )

            If you offer someone a reasonable reward, they would do it.

            But it's not hard in reality. SHAR is a common format (shell archive, basically a self-extracting tarball), and all you have to do it is type "sh virus.shar". at a command line.

            All you have to do is offer free pr0n or other thing and everyone becomes obedient little puppets.

            Proof? I remember when jailbreaking iOS required using ssh and other tools. Far too many instructions had people using PuTTY and such and not changing the default password. It en

          • It can't do anything unless it is actually run.

            Not a problem under Linux:

            Yup. One that comes to mind:

            Target attack on a user that runs a repository for a program that they create. Insert an infected version of a commonly used app.

            Some users will catch it (as they'll have a guard in software source location), but many will not pay attention to the location that their Firefox is being installed from.

    • by AmiMoJo ( 196126 )

      I tried to look at the link but it wants me to solve a captcha just to read it. Fuck off.

    • Since all of the ones found so far are custom compiled for a specific target, it is had to find a signature...
  • by jfdavis668 ( 1414919 ) on Saturday November 07, 2020 @07:49PM (#60697724)
    Or maybe Amiga OS. Something that died before these hackers were born.
  • Oh well, Time to cut the smug act and roll up my sleeves. Offline backups first, then disk activity monitors. I'm not much of a target, but they shoot anybody..
    • Backups need to be out of band, on a different systems with isolated credentials. Like a small Linux appliance that copy's all of the data on a file share to Backblaze. And not on the domain... :)
  • by dysmal ( 3361085 ) on Saturday November 07, 2020 @08:17PM (#60697804)

    It's finally upon us!

  • SELinux (Score:2, Funny)

    by Gravis Zero ( 934156 )

    If you aren't using SELinux for a server and disabling the root account then you just aren't doing your job of securing the server. These two simple things would make ransomware exceptionally difficult to implement.

    • Sure, cause everyone who isn't black-eyed enough to install kernel patches written literally by the NSA, must be a conspiracy theorist --.--
      We're not all Americans, mate.

      And no, nobody you know well enough to trust, has read all that code and verified it for underhanded backdoors. See: OpenSSL.

      I think you mean a RBAC system. Which is the generic term.

      - - - -
      "This exact comment has already been posted." Yeah, because Slashdot focused the wrong textarea field when I typed it before, leading me to reply no my

      • by gweihir ( 88907 )

        That is BS. SELinux is an access control layer. It is easy to find back-doors in there and countless people will have tried by now.

    • by gweihir ( 88907 )

      Both things are not always possible and sometimes exceptionally difficult.

  • by OneHundredAndTen ( 1523865 ) on Saturday November 07, 2020 @08:43PM (#60697846)

    And scrums. And stand-ups: "Today I implemented feature x to royally screw Linux distribution abc. Tomorrow I will port it to Linux distribution xyz. No blockers". Otherwise, they are going to run into trouble maintaining such codebases.

    Yes, as the Brits say, I am taking the mickey out Agile.

  • by oldgraybeard ( 2939809 ) on Saturday November 07, 2020 @09:37PM (#60697964)
    this gets on a hardened server? How?
    • Comment removed based on user account deletion
      • Probably firing employees who then go on to write that ransomware.
        Or attacking people who then retaliate with trojans.
        Or leaking trojans that then become modified as ransomware.
        Sincerely,
        somebody with friends who know friends who work at the Mossad :)

    • by Bert64 ( 520050 )

      Those hardened Linux servers are typically used for important assets within a corporation... However, most of these corporations also have a standard desktop which everyone is forced to use. This standard desktop will usually be windows, and usually joined to a centralised domain.

      The people who are responsible for managing the important linux systems will also be forced to use these windows desktops to manage them, so while the linux servers on their own may be hardened in reality they are only as strong as

      • This.

        You don't need an exploit to get into the server, you just need to grab the credentials of the server on the less secure machine from which it is managed.

        • by PPH ( 736903 )

          you just need to grab the credentials of the server on the less secure machine

          What sys admin in their right mind uses a Windows domain controller to handle access to their Linux servers? One might use a Linux system as a domain controller for desktops. But not to control access back to that server itself.

          And if you do run a part of the Windows ecosystem on a Linux box, don't run it as root.

          • you just need to grab the credentials of the server on the less secure machine

            What sys admin in their right mind uses a Windows domain controller to handle access to their Linux servers? One might use a Linux system as a domain controller for desktops. But not to control access back to that server itself.

            And if you do run a part of the Windows ecosystem on a Linux box, don't run it as root.

            Ones hired by CTOs that know Windows. Or that have a standard desktop policy. Chances are that the ssh credentials are cached in putty anyway...

      • Regarding centralized password management:
        Not in any sane implementation. Such systems only store the hashes. Never the passwords or even pure hashes.

    • I'm guessing via the non-standard software installed on that server. I don't mean stuff like file servers or what have you, but 3rd party software. You can harden that server however you want, if you run Magento, Oracle, Jira et cetera, then that's your entry point. And if I read the article correctly, it's not that the hackers run the malware on the hardened server, it's just that they use the malware as a stepping stone on workstations, and then don't run the encryption bit so they can keep using it as a

    • Doesn't need to get to server, just encrypt the files in your mount points.
  • by Anonymous Coward

    Oh, you were serious? Let me laugh even harder!
    --Bender Rodriguez

    Oh no, a luser got their files encrypted. Is that similar to lusers deleting their important work files with rm -f ? I might have to recover from backups.
    --non-BOFH

  • by tiqui ( 1024021 ) on Sunday November 08, 2020 @03:15AM (#60698520)

    what libraries were used to build this ransomware, and did the authors obey the licenses?

    Is this ransomware under GPL2 or GPL3? (or do we need a new opensource license?)

    Is the source on GitHub?

    Is it implemented in my preferred Unix-ey way as a set of small programs that each do one thing VERY WELL, or is it a bit more like systemd?

    [smile][ducks and runs for cover]

  • I had been stuck having to run windows just so I can get victimized by ransomware, with this and the porting of Calc.exe last month I can finally switch entirely to Linux.

  • With Linux getting critical mass, this was bound to happen. The more prevalent a eco-system becomes, the more are going to be part of it and try to benefit from that. That goes for parasites aswell. The upside with Linux is, that I have my safety under my own control and not some bizarre decisions made by someone in some software megacorp.

  • by BAReFO0t ( 6240524 ) on Sunday November 08, 2020 @07:09AM (#60698868)

    There is *quite* the difference between my custom ricer Gentoo server built from stage 1 (!) in the 2000s that has a ton of unusual modifications, and the Mint/Ubuntu/Debian/Snap/Flatpack/systemd Lovecraftian abomination on my laptop. And that's not even factoring in things like RBAC systems.

    Less experienced people call it "fragmentation". I call it "healthy avoidance of monoculture".

    • by nagora ( 177841 )

      There is *quite* the difference between my custom ricer Gentoo server built from stage 1 (!) in the 2000s that has a ton of unusual modifications, and the Mint/Ubuntu/Debian/Snap/Flatpack/systemd Lovecraftian abomination on my laptop. And that's not even factoring in things like RBAC systems.

      Less experienced people call it "fragmentation". I call it "healthy avoidance of monoculture".

      Likewise. My main box is Gentoo and I trust it; the laptops are Ubuntu and I just assume they'll be fucked by some sort of systemd bug when things get critical.

  • How does this ransomware load and run on Linux, without opening a malicous email attachment or clicking on a malicous weblink. Besides which, I thought virtually nobody was using Linux on the desktop.
  • Ransomware is pretty tough to deal with. I utilize computers for my job, and other things. I remember having to walk somebody through on the phone to get to use Kaspersky TDSSkiller to resolve the issue outside of the operating system. I just hope that it does not become more complicated resolve in the future. https://pamsbizstartuppixie.wo... [wordpress.com]
  • I've been commenting about this for years, but the only thing that differentiates Windows from Linux is that Linux had (keyword) been so obtuse an OS to use as a daily driver that the average person wouldnt use it. Modern Linux distros have changed that and so now there is a greater reason for hackers, crackers and script kiddies to pay attention to Linux. Anybody remember the SSH vulnerability from a few years ago or the glibc vulnerability? These had been present for over a decade. I don't think Linux is
  • Does this ransomware run as a binary?
    Or is it interpreted?

    If it is a binary then it has to target the most common arch. of x86/x64, and probably does not even consider ARM. So my Pinebook Pro, (an ARM64 laptop), is good to go as mitigation for that problem. (Of course, their more than likely are Linux on ARM/ARM64 attacks, but they are probably through Android or Apple iOS.)

    Of course, assuming I do get hit, can they privilege escalate to "root"?

    If not, then I am covered by a combination of;
    - Home f
  • All of you have backups of your stuff, right? If not, take a few hundred bucks and get some external USB spindles. I've been rotating mine for over a decade. Backup stuff, move one to a safe or offsite and get the other one. Backup every week minimum, rotate every month.

    It's great insurance even for bad disks. I've blew a 4 TB disk recently. Didn't lose much of anything. I had just done a backup. Ordered a new one, put it in, back in action!

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...