[sf-lug] South African Linux sites experiencing Ransomware attacks

Rick Moen rick at linuxmafia.com
Thu Sep 12 21:48:26 PDT 2019 

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

>     No big thing.  After all Rick Moen says that it is a *phoney* warning.

It would be more accurate to say that it's a vague, melodramatic,
vapourous, and basically useless warning.

To put it in a metaphorical context that people might be able to deal
with more readily:  It was like this...

  Beware!  There are house-destroying Gerbilock gerbils that are believed
  to be loose and to have already destroyed thousands of homes.  These
  gerbils, if they have entered and destroyed your home, can be identified
  after the fact by the .gerbilocked handkerchiefs that they've been
  observed to leave behind in demolished master bedrooms.

  It's not known how these gerbils gain entrance to a house's door or
  windows, or how they escalate authority to enter all of the house's
  separately locked rooms.  Just, trust us, they do, and they're awful and
  terrifying.  Some have been rumoured to be carriers of the measles
  virus.  It may be that Bauhaus-design houses are particularly
  vulnerable to gerbil entry and takeover on account of a recently 
  discovered vulnerability in their skylights.  See: CVE-Skylight-2019-01.
  Also, all Gerbilock gerbils have Bic lighters built into their tails,
  and are known to set housefires.

That's not particularly useful to door/window security, skylight repair,
or even rodent control, and has about the same information value as the
several IT press articles I've seen lately about 'Lilocked Ransomware.'

That's not to say you shouldn't have decent locks on doors and windows,
and maybe get a cat to keep the rodents down.  Also, kitties purr
nicely, so you get a free bonus.  (/me has two little scamperbeasts at
this feet at the moment.)


> >The FOSSBYTES webpage [...]

I don't want to beat up on Fossbytes.com, but it's apparently just yet
another news aggregation site.  It seems that someone in Delhi back in
2014 installed Drupal on a static IP, pointed that domain to it, and
said 'I know!  We can make money as a middleman pointing to vaguely open
source stories elsewhere on the Web, paraphrasing other people's
coverage from elsewhere, and occasionally publishing a few of our own
editorials.'

If that's what you want, great.  There are lots of similar sites.  But
you consider them reliable at your peril.  And, as it turns out, there's
more utter context-challenged rubbish published about security than
about anything else in computing, partly because the
antimalware/security firms continually generate it as part of their
business model.



'Thousands Of Linux Servers Infected By Lilu
> >(Lilocked) Ransomware'[2] confirms the above advice when it writes
> >"You might evade this attack by keeping strong passwords and
> >updating the apps as and when security patches arrive."
> >That would likely include updating or perhaps replacing the
> >"defunct Exim software".
> >Note that Lilock ransomware does not affect system files but files
> >with extensions including HTML, SHTML, JS, CSS, PHP, INI, and
> >other image formats. Since system files are not affected, Linux
> >systems are running normally.
> >
> >The SecurityIntelligence webpage 'Lilocked Ransomware Infects
> >Thousands of Linux Servers to Encrypt Files'[3] also follows-thru
> >on this along the lines of what Rick M wrote much more expansively
> >at [4] from the following quote:
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >Security professionals can help defend their organizations against
> >Lilocked ransomware by having a data backup strategy that enables
> >backup accounts to access production systems, yet blocks
> >production accounts from writing to any type of backup. Companies
> >should link this backup strategy to a sophisticated data-centric
> >solution that blends encryption, access controls and other
> >security measures, thereby narrowing the attack surface for
> >threats like ransomware.
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >-A
> >
> >
> >======================================================
> >References
> >======================================================
> >[1]http://linuxmafia.com/pipermail/sf-lug/2019q3/014360.html
> >[2]https://fossbytes.com/lilocked-ransomware-infected-linux-servers/
> >[3]https://fossbytes.com/lilocked-ransomware-infected-linux-servers/
> >[4]http://linuxmafia.com/pipermail/sf-lug/2019q3/014361.html
> >======================================================
> >
> >aaronco36 at sdf.org
> >-------
> >
> >_______________________________________________
> >sf-lug mailing list
> >sf-lug at linuxmafia.com
> >http://linuxmafia.com/mailman/listinfo/sf-lug
> >SF-LUG is at http://www.sf-lug.org/
>     Bobbie Sellers
> 
> 
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> SF-LUG is at http://www.sf-lug.org/

More information about the sf-lug mailing list