Try For Free


Rising Ransomware Trend: Why Is Linux Suddenly a Target?

Patch Management

For many years, organizations running Linux felt relatively secure. Linux created a universe of open-source aficionados working together to make computing a friendlier place. For a while, not many people were using Linux, making it obscure and expensive to attack.

But all that has now changed.

According to a 2022 report from VMware’s Threat Analysis Unit, “Linux-based systems are fast becoming an attacker’s way into high-value, multi-cloud environments.” Common attack vectors such as Cobalt Strike and XMRig are now readily available for Linux—with 89% of cryptojacking attacks making use of XMRig-related libraries.

While Linux still takes a backseat to Windows and OSX when it comes to professional and home desktop use, today Linux drives 90% of the cloud infrastructure we all know and use.

Linux has been embraced by all the big cloud players—AWS, Google Cloud, and Microsoft Azure all support either common variants or their own version of Linux. Indeed, in line with industry-wide trends, Microsoft proudly claims, “Did you know? Linux on Azure is the fastest growing platform on Azure.”

Therefore, it is fast becoming the most attractive OS for attackers to target, with ransomware and cryptojacking being the two leading types of attack today. Cryptojacking is particularly worrisome, with its long dwell times, but with ransomware’s risk of data exfiltration, it can also make you very vulnerable.

From an attacker’s perspective, Linux delivers great “bang for the buck”—little effort, big payoff. Let’s explore three trends that are currently driving the growth in Linux ransomware, as well as what you can do about it to keep your organization safe.

Trend #1: The Rise of RaaS

You’ve already seen the way every business software product is transforming into “on-demand,” cloud-based “aaS” apps. Unfortunately, this is also true in the ransomware realm. The DarkSide group made headlines even in mainstream media in 2021 with its REvil ransomware, targeting, among others, Colonial Pipeline.

Just like a legitimate software vendor, DarkSide offered feature-rich Linux variants, written largely in C++ using open-source libraries. And just like a legitimate business, their model meant actively seeking franchise affiliates willing to contribute 20 BTC (about $300,000 at the time).

DarkSide encrypts folder contents using ChaCha20 with the RSA 4096 key taken from the configuration. When users attempt to view files, the ransom note appears instead.

DarkSide was taken down by the Russian government at the urging of the U.S., and court proceedings have now begun in Russia. But just during its short career, the group brought in at least $200M; Russian police have confiscated 20 luxury cars, 426 million rubles, $600,000, and Є500,000. 

While DarkSide is out of business, there’s nothing stopping other groups from organizing similar malware-as-a-service attacks and profiting from widespread vulnerability—for instance, the ransomware group AvosLocker now offers its own Linux version.

Trend #2: The Ease of Porting Ransomware to Linux

New tools like Go (Golang), designed for cross-platform portability, are making it easier and faster to develop ransomware across a range of platforms. With Go, developers only have to develop their malware once and then compile it easily across windows, OSX, and Linux.

As mentioned above, Cobalt Strike’s Beacon is widely available for Linux (known as Vermilion Strike). While Cobalt Strike can be used for legitimate pen testing purposes, its powerful abilities mean the tool is increasingly being deployed as the second stage in two-stage malware attacks (at the same time, two-stage malware is on the rise).

Beyond Vermilion Strike, a Golang-based port of Cobalt Strike, called Geacon, is also widely available. These tools can be used for lateral movement as well to gain a backdoor into servers, including Linux systems. 

Trend #3: New Attack Methods

Other types of attacks are rising to prominence alongside ransomware:

  • Software supply-chain attacks. The SolarWinds and Kaseya attacks have driven home the fact that you can’t always count on vendors to keep you safe.
  • Coin miners. These cryptojacking-type attacks harness the elasticity and compute power of cloud to operate illicitly.
  • Web shell attacks. Placing web shells allows hackers to continue exploitation over an extended period, compromising admin credentials, moving laterally, and exfiltrating valuable data, as seen in the recent international Red Cross committee attacks.

Today’s threats are often persistent, sometimes brokered by an initial access broker (i.e., auctioned off to the highest bidder), a process known as RansomOPS.

And what is clear is that Linux is going to be increasingly targeted, as demonstrated by the Linux Foundation and Red Hat playing a key consulting role in a recent White House summit on supply chain security.

So you need to stay safe against new types of threats and, in particular, ensure that you are secure against vulnerabilities that could allow these types of attacks into your network.

Staying Safe and Ahead of the Trends

We know that attackers today are increasingly going after tech-savvy orgs, and running Linux is no longer a guarantee that you’ll be able to keep your organization safe. 

Linux may give you an advantage over other OSes when it comes to patch availability. A recent Google study shows that over the last two years, open-source Linux has beaten out Windows for average time to fix security vulnerabilities: 25 days for open-source Linux compared to an average of 83 days for Microsoft.

However, the availability of a patch doesn’t mean you’re automatically safe. You still need good ways to implement patches as quickly as they’re released.

That’s because attackers are taking advantage of known vulnerabilities. That’s what happened with the International Red Cross Committee attack: The ICRC simply failed to apply a patch for a known vulnerability months after the patch had already been released, leading to a private data leak that affected half a million people.

Here are a few ways you can work to secure your organization, according to Linux security experts:

  • Put strong backup and security systems in place to avoid a single point of failure.
  • Implement automated discovery and monitoring of your entire environment.
  • Block or control data and network resource access via Linux security extensions.
  • Consider network segmentation, zero trust, MFA, and other next-level access control.
  • Automate patching wherever possible to keep ALL servers and endpoints—including Linux on-premises and in the cloud—up to date with the latest OS and vendor patches.

Whatever the next trends in security might be, vulnerability remediation is certain to be a big part of it. 

A next-generation patching platform such as JetPatch makes dealing with vulnerabilities simple and ensures you’re covered across your entire environment: on-premises, in the cloud, and all current and legacy OSes.

To get started with JetPatch…try our FREE LINUX TRIAL.

Todd Kirkland
schedule demoORlearn more
Start Patching the Right Way
Free Trial