[sf-lug] Ransomware threat to Linux servers

Rick Moen rick at linuxmafia.com
Mon Nov 9 16:59:22 PST 2020 

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> Hi LUGers,
> 
> Note that keeping your security up-to-date is the best defense.

Which starts with having adequate, tested, offline-stored backups and a
plan for recovery.

> Subject: Ransomware threat to Linux servers

No, 'ransomware' is not a threat.  Ransomware is a secondary aftereffect
of security compromise, which usually results from ignoring things that
_are_ threats, and the damage is made severe because of not having
adequate, tested, offline-stored backups and a plan for recovery.

> Linux version of RansomEXX ransomware discovered
> 
> This marks the first time a major Windows ransomware strain has
> been ported to Linux to aid hackers in their targeted intrusions.

Ransomware is _not_ used to intrude into systems.  It can't.  That's a
fundamental misstatement of what it _is_.

> <https://www.zdnet.com/article/linux-version-of-ransomexx-ransomware-discovered/>

Hey, it's Ziff-Davis.  That means the likelihood of the story actually
telling the answer to the only interesting questions, of how intrusion
gets accomplished and how escalation of privilege to root authority then
occurs, approaches zero.  Let's see.  (/me skim-reads article)

Subheader is indeed:

   This marks the first time a major Windows ransomware strain has been
   ported to Linux to aid hackers in their targeted intrusions

Well, leading with utter codwallop is not a good start.

   Security firm Kaspersky said [...]

OK, so standard Ziff-Davis fare.  This is basically just a
copied-and-pasted corporate press release.

   The ransomware has been used in attacks against [...]

More used cow food.

(/me skims, skims some more, skims lots...)

OK, entire article fails utterly to even address the only interesting
questions.  Well done, Ziff-Davis!   However, piece ends:

   Technical details about the RansomEXX Linux variant are available in
   the Kaspersky report.

Righty-O.  So, let's follow the link.

Article says RansomEXX is an 64-bit ELF binary that, when run, encrypts
file with 256-bit AES.

Article says absolutely nothing about how bad guys are believed to get
in and escalate to root.

Without at least a surmise about the answers to those questions, admins 
can only say 'Well, I guess we should attend to basic security, and have
adequate, tested, offline-stored backups and a plan for recovery.'
Which fortunately is already known and is basic common sense.

More information about the sf-lug mailing list