by Joachim Suico (Threat Research Engineer)
2016 was the year when ransomware reigned. Bad guys further weaponized extortion into malware, turning enterprises and end users into their cash cows by taking their crown jewels hostage. With 146 families discovered last year compared to 29 in 2015, the rapid expansion and development of ransomware is projected to spur cybercriminals into diversifying and expanding their platforms, capabilities, and techniques in order to accrue more targets.
Indeed, we’ve already seen them testing new waters by tapping the mobile user base. We’ve also seen ransomware being developed for other operating systems, which are then peddled underground to affiliates and budding cybercriminals. Linux.Encoder (detected by Trend Micro as ELF_CRYPTOR family) was reportedly the first ransomware created for Linux systems; it targeted Linux web hosting systems through vulnerabilities in web-based plug-ins or software such as Magento’s. In Mac OS X systems, it was KeRanger (OSX_KERANGER)—found in tampered file-sharing applications and malicious Mach-O files disguised as Rich Text Format (RTF) documents.
Their common denominator? Unix: a multiuser, command-line OS that employs a unified filesystem and simple but robust tools, like shell and command language, to perform intricate tasks. Its flexibility and popularity among programmers enabled it to have different flavors, including Linux and Mac OS X.
Laying the Groundwork?
While both infect systems via methods typical in Windows ransomware, their arrival vectors are mostly non-user-centric due to the nature of Unix. While Linux.Encoder exploits security flaws, KeRanger was notable in its theft of legitimate Apple certificates to bypass Gatekeeper, a security feature that enforces code signing and verification of downloaded software. But based on their similarities in packer, structure, encryption library, function names, and ransom notes, KeRanger can be surmised as a recompiled version of Linux.Encoder.
Our analysis of these ransomware also revealed how they are just precursors, and ultimately, an indication of what’s to come for Unix ransomware. KeRanger, for instance, has an unused function that’s supposed to encrypt/delete OS X’s Time Machine, a feature designed as a backup utility in Mac computers. Linux.Encoder, spawned by an open-source ransomware project, underwent several updates in an effort by its developer to fix flaws in the malware’s encryption routine. It left a slew of infected Linux servers in its wake, with its third version infecting over 600 servers worldwide.
While Unix ransomware may still be experimental, we’re starting to see where they’re branching out and what capabilities they use to hit more targets and maximize profit. This is reflected by the emergence of other families that target Unix-like OSes such as Linux and Android. These include KillDisk (RANSOM_KILLDISK.A), Rex (RANSOM_ELFREXDDOS.A), Encryptor RaaS (RANSOM_CRYPRAAS.B), KimcilWare (RANSOM_KIMCIL), Svpeng (ANDROIDOS_SVPENG), and Koler (ANDROIDOS_KOLER). In fact, Linux ransomware already saw development as early as 2014 with the appearance of Synolocker (RANSOM_SYNOLOCK). CryptoTrooper (RANSOM_CRYPTOTROOPER) and PHP Ransomware (PHP_CRYPWEB)—like Linux.Encoder—demonstrated how open-source projects purportedly designed for educational purposes can be weaponized.
Is Unix a Lucrative Market for Ransomware?
So why Unix? Is it a viable target for smash-and-grab, off-the-shelf threats like ransomware? While market share and user count can be a factor, the difference also lies in architecture. Software in Unix-like systems like Linux, for instance, are either compiled from source or vetted repositories. Their permissions model also makes it difficult for executables to run with privileges required to access and encrypt files. While Windows’ User Account Control (UAC) can limit software to standard user privileges—unless an administrator authorizes it—many users readily allow programs to make changes in the system. Additionally, many organizations are inclined to grant its end users administrative access to their workstations. Nevertheless, Unix is not foolproof. It only takes one remote code execution or procedure call vulnerability—or a socially engineered email—for ransomware to slither its way into the system.
Unix ransomware may still be exploratory, but it is a credible threat that raises significant security challenges, given Unix’s ubiquity—from servers, workstations, web development frameworks, and databases to mobile devices. Enterprises across various industries, including IT services, education, healthcare, finance, retail, media, and manufacturing, are powered by Unix-based machines. Linux systems, for instance, are a mainstay for many hosting and storage service providers, and are often used to manage various websites simultaneously from multiple clients. Organizations like data centers also rely on Unix-based systems as platforms that run applications handling mission-critical operations—including their upkeep.
Mitigation and Best Practices
With ransomware, system management for IT administrators and information security professionals is always in a race against time—their organization’s business contuinuity, reputation, and bottom line are at stake.
Linux system administrators must avoid or beware of adding unverified, third-party repositories; as users with appropriate privileges can still install them even if Linux keeps a central repository for package downloads. To mitigate threats that don’t use privilege escalation exploits, permissions should be restricted to users. Though root login is disabled by default, users may perform actions if granted admin privileges, so system/IT administrators should also limit adding users to the sudoers (administrators) group.
Privilege separation in Linux greatly enhances security by limiting the modifications a program can make to the system. Regular audits and hardening can also help reduce the system’s attack surface, such as minimizing running services or disabling unwanted services. Usage of Linux security extensions is also recommended for misconfigured programs. These extensions enforce mandatory access control policies that manage the extent of access of programs to files and network resources, which help confine damage triggered by malicious or misconfigured programs. Installing intrusion detection systems, performing continuous monitoring, and inspecting suspicious entries in logs also help in early detection of attempts and actual attacks against the system.
Apart from keeping systems up-to-date with the latest patches, and regularly backing up important corporate assets, enterprises must ensure their perimeter is secured. System administators should also be on the lookout for suspicious files, applications, processes, and network activity usually leveraged by ransomware. Users and businesses can also benefit from a multilayered approach to security that covers the gateway, endpoints, networks, and servers.
Trend Micro Ransomware Solutions
Trend Micro Deep Discovery Inspector detects malicious traffic, communications, and other activities associated with attempts to inject ransomware into the network.Network Traffic ScanningMalware SandboxLateral Movement Prevention
Trend Micro Deep SecurityTM detects and stops suspicious network activity and shields servers and applications from exploits.Webserver ProtectionVulnerability ShieldingLateral Movement Prevention
PROTECTION FOR SMALL-MEDIUM BUSINESSES AND HOME USERS
Protection for Small-Medium Businesses
Trend Micro Worry-FreeTM Business Security Advanced offers cloud-based email gateway security through Hosted Email Security that can detect and block ransomware.Ransomware behavior monitoringIP/Web Reputation
Protection for Home Users
Trend Micro Security 10 provides robust protection against ransomware by blocking malicious websites, emails, and files associated with this threat.IP/Web ReputationRansomware Protection