Can you keep Linux-based ransomware from attacking your servers?

David Geer

According to SophosLabs, Linux/Ransm-C ransomware is one example of the new Linux-based ransomware attacks, which in this case is built into a small command line program and designed to help crooks extort money through Linux servers.

“These Linux ransomware attacks are moving away from targeting end users and gravitating toward targeting Linux servers, web servers specifically, with a piece of software that encrypts data and is similar to what we’ve seen in previous years such as CryptoWall, CryptoLocker, and their variants,” explains Bill Swearingen, director of Cyber Defense, CenturyLink.

As long as attackers can leverage the ease of coding strong encryption and the high availability of anonymous currencies and anonymous hosting, ransomware is here to stay, says Swearingen. With security organizations like SophosLabs seeing and tracking new variants of Linux ransomware, enterprises should make themselves aware of its risks and cures, since as server owners, users, or operators they are prime targets.

Typical target trip ups

With the amount of open-source software in use on Linux web servers, it is very easy for attackers to take advantage of these CMS systems such as WordPress, Drupal, and Joomla with their many unpatched vulnerabilities and exploit them, insinuating these Linux encoders / ransomware and holding enterprise web servers and their data in exchange for some form of booty, says Swearingen.

Though the first rounds of Linux ransomware have been poorly coded, according to Swearingen, coming rounds will be increasingly more effective. As attackers are writing the next wave of Linux encoders, enterprises need to prepare to withstand their effort.

One obvious answer to Linux malware is to keep those CMS products and the web servers continually patched and updated. But patching produces its own challenges. Even Linux web servers have many layers that the enterprise needs to patch, says Swearingen, including the OS layer, the application layer, and the database layer. "Traditionally companies focus on the operating system layer, running vulnerability scanners. But it’s the applications that the attackers are targeting,” says Swearingen. The enterprise needs to expend effort to uncover and patch holes at all levels. That comes with additional investments in time and money.

Immediate patching is often impractical since patches may be flawed, creating their own issues. Enterprises should thoroughly test new patches before installation to production environments. Proper testing also comes at the sacrifice of time, effort, and additional finances. Enterprises have thresholds where they can begin to afford testing and below that, many cannot justify the expense.

Even patches that generally function properly may negatively affect certain adjacent applications and software dependencies with conflicts and lack of interoperability so that these CMS and other Linux web server products experience faults or stop working altogether. Ultimately, the enterprise will have to weigh the risks and costs of patching as they approach patching solutions.

1  2  3  Next Page