Ransomware image

Linux Ransomware – Notorious Cases and Ways to Protect

The ransomware plague has been the talk of the cybersecurity town since the emergence of CryptoLocker back in 2013. A combination of military-grade encryption and effective extortion mechanisms makes every such attack potentially disastrous as the victim runs the risk of losing essential data down the line.

Whereas the vast majority of ransom Trojans zero in on Windows PCs, some strains focus on devices running other operating systems instead. The Linux ecosystem is a steadily expanding battlefield in this regard. This might seem like a marginal tactic at first sight, but once you explore the wiki facet of the matter, the attackers’ logic starts making a whole lot of sense.

Linux is widely deployed on servers that administer enterprise networks, massive databases, and web services. In plain words, these devices are juicy targets to take hostage. Their owners are mostly businesses or governmental institutions with sizeable budgets that can afford to pay for reverting to regular operation.

Linux ransomware runs the gamut of different distribution techniques and extortion methods. The following infamous outbreaks of these infections will shed light on the heterogeneous essence of this cyber threat landscape while highlighting effective defenses organizations should implement to stay on the safe side.

Tycoon ransomware

Having splashed onto the scene in early December 2019, Tycoon is the latest example of Linux ransomware. For the record, it is a two-pronged strain that can infect Windows machines as well. The intended set of victims ranges from software publishers to educational institutions, with the raids being highly targeted.

The Tycoon payload arrives with a booby-trapped ZIP archive that contains a malicious Java Runtime Environment (JRE) component. Its operators tend to piggyback on unsecured remote desktop protocol (RDP) ports as the original entry point. Once the surreptitious infiltration into an enterprise network has been completed, the predatory code is compiled into a Java image (JIMAGE) entity that allows the attackers to create a custom JRE build exhibiting malicious characteristics.

The final-stage harmful Java object is executed by a peculiar shell script behind the scenes. It supports Linux and Windows frameworks alike, so the subsequent attack chain depends on the OS used in the victim network. The infection comes with a configuration file storing the text of the ransom note, the RSA public key, the malefactor’s email address, and the list of network components to skip during the dodgy encryption.

Tycoon scrambles each file on a server using a different AES key, which is further encoded with the RSA-1024 key owned by the perpetrators. The ransom note instructs the victim to contact the attackers and pay for data recovery in Bitcoin within 60 hours. Otherwise, the amount will be increasing by 10% daily.

Lilocked ransomware

Also known as Lilu, this strain of Linux ransomware debuted in mid-July 2019. Two months later, its architects gave their campaign a boost by hitting roughly 6,700 thousand Linux web servers over the course of about a week. Although the exact attack vector was unknown, some researchers’ theory was that the criminals exploited out-of-date versions of the Exim message transfer agent to gain a foothold in a target environment.

After encrypting data stored on a server, the ransomware appends the .lilocked extension to each file. It additionally drops a ransom note named “#README.lilocked” into all parent directories containing encoded data. This document specifies the size of the ransom (0.03 BTC, worth about $300 at the time) and sets a seven-day deadline for payment. To make sure that the server can continue running throughout the incursion, the pest skips critical files while focusing on a limited set of items stored in HTML, SHTML, CSS, JS, INI, PHP, and popular image formats.


This ransomware wave took root in July 2019. It focuses on infecting network-attached storage (NAS) Linux devices, which are generally known to hold an organization’s most valuable data assets. At the peak of its operation, QNAPCrypt was doing the rounds via more than a dozen concurrent sub-campaigns.

The attack relies on crude authentication practices used by some companies to establish connections through a SOCKS5 proxy. As soon as the payload is executed, the ransom Trojan reaches out to its Command and Control (C2) server to receive an RSA public key and a Bitcoin wallet address for the payment, the latter being unique for every victim.


The destructive program called Erebus gained notoriety for entailing the biggest ransom payout to date. In June 2017, it raided more than 150 Linux servers of Nayana, a major South Korean web hosting provider. The affected company chose to pay a jaw-dropping $1 million in Bitcoin to the crooks in order to restore its digital infrastructure.

Erebus was originally discovered in September 2016. At its dawn, it was homing in on Windows systems by exploiting a flaw in the User Account Control feature. Later on, the authors of this ransomware repurposed it to target Linux servers. Having crept inside, it scans the compromised network for more than 400 file types, including databases, archives, documents, and multimedia items.

To prevent the victim from accessing their data, the Trojan employs an uncrackable fusion of RSA-2048, AES, and RC4 cryptosystems. Interestingly, it uses a multilingual ransom note to cover a vast range of potential targets and take the extortion to the next level.

KillDisk ransomware

Similarly to Erebus, KillDisk started out as a Windows-only threat and subsequently extended its reach to Linux environments. This shift took place in January 2017. The original infection stood out from the rest by being associated with state-funded sabotage operations. It was reportedly used as a data wiping instrument in the December 2015 cyber-attacks against the Ukrainian energy sector and media organizations.

The Linux variant of KillDisk works by overwriting the GRUB bootloader. This way, it prevents the host system from booting and shows a full-screen ransom note demanding 222 Bitcoin (worth about $200,000 at the time of the first outbreak). The caveat is that according to security analysts, the disruptive program doesn’t save the cryptographic keys locally, nor does it submit them to a C2 server. In other words, paying the ransom could be futile because the recovery is most likely impossible. This is one more quirk suggesting that KillDisk might have been primarily designed as cyber warfare rather than an extortion tool.

How to fend off Linux ransomware?

Contrary to a common misconception, the most devastating virus attacks aren’t isolated to the Windows world. Mac malware is gearing up for a rise these days, and Linux servers aren’t safe either. The following techniques will help strengthen an organization’s security posture in terms of combatting the increasingly unnerving scourge of Linux ransomware onslaughts.

  • Back up your critical files and diversify the storage media to avoid a single point of failure (SPOF).
  • Implement the principle of least privilege for user accounts.
  • Keep the servers and endpoints up to date to make sure they use the latest security patches.
  • Follow effective network monitoring practices.
  • Keep tabs on event logs to identify anomalous behavior before it causes harm.
  • Leverage a combo of IP filtering, an intrusion detection system (IDS), and an intrusion prevention system (IPS).
  • Use Linux security extensions that control and restrict access to data or network resources.
  • Apply robust network segmentation and data compartmentalization to minimize the impact of a potential ransomware attack.

It’s also crucial for businesses to safeguard their networks proactively. Investing in reliable defenses to avoid a ransomware calamity is so much more cost-efficient than handling its after-effects. Also, it’s a good idea to have an incident response plan that will take effect if things get out of hand.

Featured image by rawf8 from Shutterstock.com