Ransom Variants Target Linux Servers

No one is immune from cyber-attacks anymore, and that includes Apple and Linux systems.  Lately there has been a lot of activity around crypto-ransomware attacks against Linux servers.  When you consider that a very large percentage of servers working on the Internet are running Linux under the hood, this is a critical issue.

February 2019 brought us the ransomware variant B0r0nt0k, which encrypted server contents and then demanded as much as 20 Bitcoins ($75 K).  That was followed up with HiddenWasp, which attacked Linux servers to achieve remote control of the affected server.  In July 2019, QNAPCrypt was found encrypting Linux based network attached file storage systems manufactured by QNAP.

In mid July and August 2019, Linux server systems were found to be encrypted with yet another ransomware variant called Lilu or Lilocked.  This ransomware mainly targeted a small subset of file extensions, including HTML, SHTML, JS, CSS, PHP and INI, hosted on Linux web servers. The means by which attackers gained access to these servers and encrypted their files remained unknown, but may be connected to TLS flaws in Exim email software.

Defense depends on having a data backup strategy that allows backup systems permission to access production systems, but prevents these production systems from writing to the backup systems.  In this way, infected production systems are prevent from encrypting the backup data.

There is more information about this threat and vulnerability available below.

More Information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.