How to deal with ransomware on Linux (and MacOS)
For years Linux, and its close relative, MacOS, were lauded for the high degree of security they offered compared to Windows. This may still be true to some extent but if it is, the gap is closing. To be fair, part of the reason for this is because Microsoft has put serious effort into improving the security of Windows. The other part of the reason, however, is that the nature of malware is changing and making Linux and MacOS more tempting targets. With that in mind, here is what you need to know about ransomware on Linux.
At present, the main threat to Linux comes from Lilu/Lilocked
Lilu, also known as Lilocked, is believed to have emerged sometime around mid-July 2019. It follows the standard template of encryption ransomware. At present, however, it only seems to be capable of encrypting media files e.g. CSS, HTML, JS, PHP, and image files. Unlike its counterparts for Windows, it does not currently appear to be able to encrypt system files.
There is also a variant of KillDisk which contains a pseudo-ransomware function
KillDisk has long been known as disk-wiping malware, however, there is a newer variant of it, which encrypts data and sends a ransom message. At present, however, it is believed that the Linux variant of KillDisk creates an encryption key that is neither stored nor transmitted to the cybercriminals behind it. If this is true, then it means that paying the ransom would be a very expensive waste of time.
MacOS has been attacked by Patcher and KeRanger
Both of these are known threats and Apple has taken action against them as have the cybersecurity companies. That said, when a threat is successful, more threats tend to follow. The simple fact of the matter is that Macs are premium devices and therefore tend to be bought by people who are likely to have the money to pay off extortionists.
Malware threats on Linux and MacOS have been on the increase
In IT circles, 2019 may go down as the year malware finally came for Linux. It saw attacks from EvilGnome (spyware), GoLang (a cryptojacker), Hiddenwasp (a trojan) Silex (a bricking worm), and Zombieload (spyware). Malware attacks on MacOS have been around for decades, but have definitely seen a noticeable increase over recent years.
Protecting against ransomware attacks on Linux and MacOS
The good news for Linux and MacOS users is that the same precautions which protect Windows users can also protect users of Linux and MacOS. These start with proper security software including an anti-malware tool (with an email scanner if relevant) and a firewall. Additionally, you need to make sure that your operating system and applications are promptly updated.
It’s impossible to overstate the importance of this in the Windows environment and it’s at least as important in the Linux and MacOS environments. To be blunt, updates can be one area where Linux users are at a significant disadvantage compared to users of MacOS and Windows.
If you use open-source software, you either need to wait for someone else to develop an update to fix an issue or do it yourself. For this reason, it can be safer to use a Linux distro where there is some form of commercial support, but the onus is still on you to apply the updates no matter how busy you are. If you can’t manage this, then you need to find a managed IT services vendor who can deal with it for you.
Additionally, you need solid protocols for usage and you need a process for ensuring that these are reviewed and, if necessary, updated regularly. The fact that Linux is mainly used for servers means that there is less likely to be an issue with users innocently blundering onto compromised websites or downloading malicious files when they open an email attachment. There is, however, much more scope for admin users to make mistakes, or, bluntly, to infect a server on purpose, hence access controls are essential.
Data backups are your last line of defense against ransomware
You never want to go through the hassle of dealing with a ransomware attack, but it can be a whole lot less frustrating if you know that you can safely ignore the ransom demand itself because you have a data backup from which you can restore. Remember, however, that any device which is internal or attached to the server can also be compromised by the ransomware, especially if you run an automated data backup to it. This means that you absolutely must have a (second) data backup which is kept disconnected from your server.
Please click here now to start your free 30-day trial of Comodo AEP.