If you’ve worked in the technology industry for a while, you probably remember the days when Apple and the Linux distros marketed themselves as if they were invulnerable to malware. Before 2012, Apple stated on their website, “It doesn’t get PC viruses.” The Red Hat Linux / Fedora website also claimed that one of its features was that it was “virus and spyware free,” stating that one of its benefits was “No more antivirus and spyware hassles. Fedora is Linux based and secure.”
Unfortunately, in recent years, we’ve learned that this simply isn’t true as malware has grown in sophistication.
Malware Pre-Installed In Linux Mint
Linux Mint is one of the most popular Linux distributions. In 2016, the world’s biggest Linux distribution was infected with malware. According to Clement Lefebvre, the founder and project leader for Mint, hackers were able to modify a PHP script on the Mint website. If a person went to the Mint download page for a limited time, the PHP script would redirect you to a fake download site. That site contained a hacked version of Linux Mint 17.3 Cinnamon edition 64-bit version that could be downloaded and installed on a machine.
The good news is that the cyber criminals were not able to hack the actual Linux Mint repository so they didn’t compromise the Linux Mint distributions.
Locky Variant For Linux
The Locky ransomware has plagued Windows machines for a while. When it first appeared in the early part of 2016, it managed to infect hospitals in Japan and the United States. A variant of the Locky ransomware has also been created for Linux and Apple. One positive development is that this ransomware appears to be dying out.
“Since late December we haven’t seen the typical volume of Locky, however, a couple of days ago we finally started seeing some spam campaigns start delivering Locky again,” says Cisco’s researchers. “The key difference here is around volume. We typically would see hundreds of thousands of Locky spam, [and now] we are currently seeing campaigns with less than a thousand messages.”
KillDisk is a data wiping malware that randomly deletes files from computers. In 2015, the KillDisk code was used in the attack on several Ukrainian power stations causing thousands of people to go without power.
KillDisk has now returned with a new variant that targets Linux machines. It will encrypt files on the machine and then ask for a $218,000 ransom in Bitcoin. This may be one of the highest ransoms so far.
For the Linux version, KillDisk uses triple-DES encryption and then displays its ransom note using the GRUB boot loader. During this process, the Linux boot loader is overwritten so the machine will no longer boot until the ransom is paid. Unfortunately, the Linux variant does not store the decryption keys anywhere on the machine, so there is no way to bring the files back even after paying the ransom.
Prevention is the best method to protect the Linux machines on your network.
- Educate your users not to click on links or open attachments that they are not expecting and to verify the source.
- Maintain off-site backups to ensure data can be restored if it becomes encrypted.
Even with the latest patches, Linux machines can be susceptible to attacks. This is why it’s critical that you use advanced endpoint security software like SentinelOne to ensure your Linux machines are protected. To learn more, check out our whitepaper, “Solving the AV Problem.”