No one is immune from cyber-attacks anymore, and that includes Apple and Linux systems. Lately there has been a lot of activity around crypto-ransomware attacks against Linux servers. When you consider that a very large percentage of servers working on the Internet are running Linux under the hood, this is a critical issue.
February 2019 brought us the ransomware variant B0r0nt0k, which encrypted server contents and then demanded as much as 20 Bitcoins ($75 K). That was followed up with HiddenWasp, which attacked Linux servers to achieve remote control of the affected server. In July 2019, QNAPCrypt was found encrypting Linux based network attached file storage systems manufactured by QNAP.
In mid July and August 2019, Linux server systems were found to be encrypted with yet another ransomware variant called Lilu or Lilocked. This ransomware mainly targeted a small subset of file extensions, including HTML, SHTML, JS, CSS, PHP and INI, hosted on Linux web servers. The means by which attackers gained access to these servers and encrypted their files remained unknown, but may be connected to TLS flaws in Exim email software.
Defense depends on having a data backup strategy that allows backup systems permission to access production systems, but prevents these production systems from writing to the backup systems. In this way, infected production systems are prevent from encrypting the backup data.
There is more information about this threat and vulnerability available below.
- ZDNet – Thousands of servers infected with new Lilocked (Lilu) ransomware
- KnowBe4 -Thousands Of Servers Infected With New Lilocked (Lilu) Ransomware
- Security Intelligence – Lilocked Ransomware Infects Thousands of Linux Servers to Encrypt Files
- Sophos Naked Security -Critical TLS flaw opens Exim servers to remote compromise