carbonite logo

Commonly searched topics:

backupcloud backupaccount sign in

Article · Aug 15, 2017

Ransomware threatens Linux servers, especially web servers

Color illustration of laptop screen showing a security warning.

Linux is an open source operating system that is very versatile due to the large group of volunteers that maintain and update the popular open source operating system. There are a broad range of Linux distributions aimed at different purposes and preferences. Some are built for specific tasks such as privacy protection or perimeter defense and a host of options are available for both desktop and server operating systems.

Linux has been around for decades, yet it only claims 2.36% of the desktop operating system market share. Linux is much more popular on the back end where it resides on approximately 11% of servers and 35% of web servers.

Linux is similar to Mac OS/X in that both operating systems claim a lower market share than Microsoft Windows and fewer ransomware attacks target the operating system. This is largely a matter of practicality. Cybercriminals want to get the best bang for their buck, so they target the platforms that are dominant. But that doesn't mean Linux is immune to the ransomware threat. Since Linux is most often used for web servers, the majority of ransomware targeting Linux users is designed specifically to exploit web servers and encrypt web server files.

Erebus is a form of ransomware that infects Linux machines through malicious advertisements, also known as malvertising, or through system vulnerabilities. Erebus is capable of encrypting over 433 file types, but it is designed to target web servers and web server data such as HTML, Java, and PHP files. Erebus encrypts the data with an AES key that is unique for each file and renames them with the .ecrypt extension. The AES keys are then encrypted with an RSA-2048 bit encryption algorithm. Erebus starts a fake Bluetooth service that will reinitialize the ransomware if the server is restarted or if the ransomware is disabled.

Erebus typically demands .085 bitcoins and threatens to delete files within 96 hours if the ransom is not paid. However, the ransom demanded during a recent attack on South Korean hosting company NAYANA was around 4 bitcoins each for the 153 servers Erebus infected. The total demand was $1.62 million, and NAYANA settled with the extortionists for around $1 million, according to reports.

Linux.Encoder is ransomware virus that targets Linux-based web hosting systems such as Magento, cPanel and Ajenti. Linux.Encoder encrypts files in the directory it is executed in and then it proceeds to encrypt web directories such as /hone, /root, /var/lib/mysql, /var/www, /etc/nginx, /etc/apache2, and /var/log. It then encrypts all remaining files that have public_html, www, webapp, backup.git or .svn in the name.

Linux.Encoder is distributed inside of a file called general.rtf, and it must be executed with administrative privileges. Once encryption completes, the ransomware displays a file called README_FOR_DECRYPT.txt, demanding a ransom of one bitcoin. Linux.Encoder is the Linux version of KeRanger, which targets Mac users.

Encryptor RaaS
Encryptor RaaS was a Ransomware as a Service (RaaS) tool that allowed extortionists to utilize a web portal over Tor to manage ransoms. It could infect a variety of operating systems including Linux. It signed its code with certificates that passed checks and used relatively advanced counter-anti-virus software. However, Encryptor RaaS abruptly became unavailable when authorities discovered some of the Encryptor RaaS software hosted on legitimate cloud services. Authorities shut down the cloud servers, and the author removed content and decryption files in an effort to cover his tracks. Unfortunately, this prevented any further Encryptor RaaS infections from being decrypted.

KillDisk masquerades as ransomware, but it is really just a form of destructive malware. KillDisk encrypts files with AES and adds DoN0t0uch7h!$CrYpteDfilE to the end of each file. The ransomware modifies the GRUB bootloader to display the ransom text demanding 222 bitcoins. However, victims who pay the ransom are not able to get their data back.

Rex ransomware is another virus that targets Linux web servers. It utilizes vulnerability scanners specific to Drupal, WordPress, Magento, Kerner, Airos, Exagrid, and Jetspeed to detect SQL injection vulnerabilities that it can exploit to gain the admin credentials. Rex then locks blog posts and modifies the victim website to state that the site is locked until 1.4 bitcoins is paid. Rex increases the ransom amount as time passes and threatens to make the server vulnerable to other attacks until the ransom is paid.

FairWare is a ransomware that targets Linux web servers and demands a ransom of  two bitcoins. FairWare deletes the contents of the www folder to take the website offline. The ransomware informs victims that they will lose their data entirely if they do not pay within two weeks and that sensitive data may be released to the public.

KimcilWare is another Linux ransomware that targets the Magento platform. It encrypts files using the Rijndael block cipher and changes extensions to .kimcilware. KimcilWare ransoms range from 1-5 bitcoins depending on which version of KimcilWare infects the machine.

Protecting yourself
Linux users must be prepared to deal with ransomware, especially if they are using a Linux based web server. Ensure that the web server patches are kept up to date, and that vendor recommended security configuration changes are made promptly. Next, ensure that all critical data is backed up to with reliable backup and disaster recovery solutions provider.


Eric Vanderburg

Eric Vanderburg is an information security executive and author known for his insight on cybersecurity, privacy, data protection and storage. Some have called him the “Sheriff of the Internet” because his cybersecurity team at JurInnov protects companies from cyberthreats, investigates data breaches, and provides guidance on safe computing. Eric is passionate about sharing cybersecurity and technology news, insights and best practices. He regularly presents on security topics and maintains a security blog. You can find him throughout the day posting valuable and informative content on his social media channels.

Related content