The myth of the environment Linux as being safe from cyber threats has long since passed away.
To put the tombstone on this belief comes a research by Check Point which, analyzing the attacks ransomware in the open source operating system, has shown a substantial increase in cases. If the ransomware phenomenon has always been typically linked to Windowsthe trend has been changing in recent years.
The first cases of campaigns operating on Linux were recorded only in 2015 and, in many cases, they were rudimentary adaptations to threats already active on Windows. The real boom on the penguin operating system began in 2020, with several Ransomware-as-a-Service (RaaS) produced specifically for that platform through languages such as Golang or Rust.
Several factors contribute to the number of these attacks. First of all, Linux is a widespread standard when it comes to server, coveted prey for hackers and cybercriminals. Secondly, overconfidence still sometimes lingers among users of the operating system.
At present, the ransomware families active in the Linux environment are varied and include names such as:
- Maori
- Cl0p
- Cylance
- Royal
- ViceSociety
- IceFire
- BlackCat
- ESXiArgs
- Rorschach
- Monti
- LockBit
- GwisinLocker.
Ransomware and Linux: an increasingly explosive mix
Check Point’s analyzes revealed an interesting simplification of the processes exploited by cybercriminals. Simply put, the ransomware offered on Linux is essential, offering very few functions beyond those useful for encryption.
For further opportunities, cybercriminals rely on the support of tools that are theoretically legitimate, but exploited with malicious intent. This makes malware used in campaigns more difficult to detect by defensive tools. The researchers’ work also highlighted some distinctive strategies, such as ransomware groups’ predilection for ESXi systems.
Comparing the different techniques adopted on Windows and Linux, it becomes clear how ransomware on the latter OS often opts for OpenSSL as the main library. At the same time, on the encryption side we opt for systems AES more frequently, sometimes combined with RSA.
One thing is for sure: regardless of the type of operating system used, ransomware remains one of the most concrete threats in the current cybersecurity context.