AhnLab Security Center


Time to Prepare for Linux Ransomware Impact


A web hosting provider in South Korea was attacked by a ransomware in June 2017. This security breach resulted in service disruption of more than 3,400 websites and a ransom payment of one million US dollars, which may drive the provider into the bankruptcy. The ransomware behind this incident was a variant of the Erebus ransomware, which targeted Linux servers. This incident has become one of the most representative case of Linux ransomware attacks. 


For a fairly long time, Linux was considered to be relatively secure OS compared to Windows. Within the last few years, however, the number of malware infecting Linux systems has consistently increased. Also, the numbers of Linux ransomware are continuously on the rise and becomes a new and serious threat. In this regard, this article presents the latest Linux ransomware and mandatory responses to the threats.  


Latest Linux ransomware 

1. Linux.Encoder

The ransomware called Linux.Endoder, discovered in November 2015, is known to be the first ransomware targeting the Linux web server platform. It infects a system by exploiting the vulnerability in Magento, an online ecommerce solution based on a Linux web server. AES and RSA algorithms are used to first generate a local key on a victim's computer, before encrypting files using AES-128-CBC. During encryption, the ransomware checks for web server related directories, such as www, webapp and git to encrypt all files within the directory. All encrypted files have the extension .encrypted added to their file names.


2. FairWare

FairWare was discovered in August 2016, and targeted Linux web servers. Unlike Linux.Encoder, however, FairWare deletes files rather than encrypting them. After deleting files, a ransom note is embedded in the /root/ folder which informs the user of the infection and the method to restore the files. The note, in part, states: “You must send 2 BTC to:xxxxxxxxxxx within 2 weeks from now to retrieve your files and prevent them from being leaked!”.


3. KillDisk

KillDisk, discovered in January 2017, is assumed to be a variant of the previously discovered KillDisk for Windows. It works by comprehensively encrypting up to 17 subdirectories within the root folder so the system is unbootable. The ransom note is displayed on the boot loader screen- the first program executed before running the operating system. Unlike KillDisk for Windows which uses AES and RSA encryption, the variant for Linux uses the triple DES encryption method. The ransom of 222 Bitcoins is demanded for the recovery of encrypted files, which amounts to 250,000 US dollars. However, paying a ransom is a waste of time and money as the encryption keys generated on the affected hosts are neither stored locally nor sent to the attacker- thus no way to restore the files. It is presumed that the hacking group behind the BlackEnergy malware that attacked Ukrainian power plants in 2015 is also behind KillDisk.


4. Erebus

Erebus, discovered in June 10, became one of the most notorious Linux ransomware. It infected a web hosting company, compromising over 150 of its Linux web servers, leading to collateral damages to more than 3,400 websites that were being hosted by the company. 

Erebus ransomware targets files in the Linux system with extensions of .tar and .gz and documents, or images with extensions of .jpg, .docx and .xlsx. Once executed, it encrypts files in the victim’s system regardless of whether or not the infected system has a network connection. Also, it connects to the Tor network using the hidden .onion domain which runs as Command and Control (C&C).


First step to Linux ransomware protection: V3 Net for UNIX/Linux Server

As new and variants of ransomware are consistently increasing and extending their target, Linux is no longer as secure as previously believed. Therefore, a countermeasure to protect the current vulnerabilities of the Linux OS is urgently needed.


AhnLab offers an optimized anti-virus software for Linux and Unix servers, V3 Net for UnixLinux Server. Through a manual scan, V3 Net for Unix/Linux Server detects malware that are contained in various files, including compressed files stored in the server. Also, it provides a scheduled scan for the safe operation of sensitive servers. For IT administrator’s convenience, it supports port settings and account management settings. Based on interoperation with AhnLab Policy Center (APC) or AhnLab EMS, which are respectively an endpoint security management system and platform, administrator can easily monitor and control security for multiple Linux servers through a single management system. 


With the increasing number of Linux malware and the severity of its attack, AhnLab plans to add real-time monitoring and Decoy analysis technology, which has already been adapted in V3 products for Windows, to V3 Net for Unix/Linux server. AhnLab's Decoy analysis is an effective measure against ransomware for its use of decoy files or folders to detect and block malicious programs attempting to encrypt or modify.