Ransomware Found Targeting Linux Servers, MySQL, Git, Other Development Files

An anonymous reader writes: A new piece of ransomware has been discovered that targets Linux servers, looking to encrypt only files that are related to Web hosting, Web servers, MySQL, Subversion, Git, and other technologies used in Web development and HTTP servers. Weirdly, despite targeting business environments, the ransomware only asks for 1 Bitcoin, a fairly low amount compared to other ransomware.

Shit.

We're fucked.

Re:Shit.

[greenfruitsalad]

until we type "snapper rollback ..." or "zfs rollback ...". then we can continue eating donuts and browsing slashdot.

Root

"Once launched with administrator privileges..."

Well, there's your problem.

Re:Root

[BostjanSkufca]

"Once launched with administrator privileges..."

Well, there's your problem.

This rarely happens, as it seems. I hope, at least.

However, once someone figures out that common PHP applications, which are currently mostly exploited for sending spam and distributing malware, can be abused in this crypto-ransom fashion, some "interesting" times will follow. Specially vulnerable deployments are those where the very same user that owns executable files is used for running that application too (I am looking at your defaults, cPanel), or, to a lesser extent, applications that permit executable code in some writeable directories.

I guess encrypting application code will not be THAT problematic, but encrypting database content is another matter altogether.

Hosting companies raising backup restore prices in 3, 2, 1...

Re:Root

Administrator privileges are *really* needed if the ransomware limits itself to encrypt files in the user's home directory? Or it requires root access because it targets the databases?

Re:Root

Application files should not be writable by the httpd user. Only developer/admin needs write access there, and if you're running a public httpd as the developer/admin user, you're an idiot. Either keep incremental database backups, or have the database send all INSERT / UPDATE queries to syslog. Now even if they hijack PHP or Ruby or Python or whatever interpreter your site uses, and then manage to overwrite your database with "encrypted" data, you have the original data to immediately restore (or, if the database and filesystem has CoW snapshots, just revert to immediately before the exploit). TL;DR: It would take a real moron of a sysadmin for this to cause problems. In such a case, that moron deserves every problem he gets. Hopefully he'll get fired afterwards and those of us with actual skill will have a more open job market that isn't full of lying incompetents.

Tape backups

[Billly+Gates]

Unlike desktops big iron use tape and raid backups

Re:Tape backups

Unlike desktops big iron use tape and raid backups

Raid is not a backup.

Re:Tape backups

RAID would simply increase the speed of encryption.

Re:Tape backups

Oh shut the fuck up. RAID is not a backup. Tape is. A second drive stored offsite is. Guess what happens if ransomware encrypts your data on the RAID? It gets written, encrypted, to both of your goddamned RAID disks. Then you restore off of an actual backup and move on. But RAID sure as shit isn't.

Re:Tape backups

Maybe you should read up RAID and how it works....

Re:Tape backups

Are you saying RAID10, RAID0 doesn't increase write speed? Are you sure you should be lecturing other people?

Re: Tape backups

[Striikerr]

I would imagine that he meant that larger companies use virtual tape libraries (comprised of hard drives) or use backup systems which write to an array of hard drives instead of tape. These are great for fast backups and restoration of data. Pushing offsite via replication provides the offsite backups.

Re: Tape backups

They are not a "backup" unless there is something stopping them being overwritten when the main system gets fucked up. It is difficult to fuck up a tape that has been removed from a system when the shit hits. As a hosting provider near me found out in their last day of operation, an offsite mirror doesn't help when the shit hits if it just mirrors the shit and there is no offline copy of the data to restore from.
Snapshots help but there are situations where they won't be available.
Also tape is still cheap at scale. Once you have the drive the media is less than $100 for 3TB (real size not compressed) so after a point it becomes cheaper to have a real backup on tape than buying drives that are likely to be online 100% of the time and fall victim to whatever they are supposed to be saving you from.

Re: Tape backups

And Big Iron faithfully copies the encrypted files out to tape quite efficiently. These things are usually "timed" so you've already put several days of infected files to backup before they spring the trap

Re:Tape backups

[aXi]

While my tape is somewhere out of reach of a tapedrive, the last five years of your RAID backups are being encrypted free of charge by some ransomware.

Re:Tape backups

Similar to what others have mentioned, RAID and backups are separate things.

RAID is a must for handling drive errors, and with larger capacities, having RAID 6 or RAID-Z2 to handle bit rot. It isn't really a backup mechanism, because the same "dd if=/dev/zero of=/dev/sda" will zero out data as effectively on a RAID-based LUN as it does with a single drive.

As time has progressed, backups have gotten shittier. A lot of companies think a deduplicating disk array is the solution for backups. It is -part- of a solution (mainly a landing zone for data so that backup windows are made smaller, especially if the drives the data hits are SSDs. However, the data is still online and can be purged by a malicious party, should they find a way to the management network.

Tape is still a useful mechanism. It may not be as trendy as the cloud, but a pile of offline tapes takes 0 watts of energy to store (barring what is needed for HVAC needs), and no remote hacker is going to be able to get data on offline tape volumes without someone on site helping. After the drives are purchased, tapes are relatively cheap, so storing a quarterly archive for 7 years (50 years if doing aircraft work) isn't going to break the bank. To boot, tape drive encryption is brain-dead eas, so if a box of tapes falls off the Iron Maiden truck, it is "just" a hardware loss, not a data breach.

The problem with desktops is the paucity of backup solutions that are more than just "lets throw files to an external HDD". If ransomware nails the backup drive, the whole solution is for naught.

Windows Server editions have a usable wbadmin utility, but client editions require a third party program (and virtually all of them have the same basic functionality.) Want better features like deduplication, ability to copy backups from one set to another? You will have to go for Backup Exec or even NetBackup for that.

Macs are a little bit easier with Time Machine, but that also is pretty much basic functionality, dumping data round robin to a list of specified drives.

Linux really doesn't have any image based backup functionality. With Windows and OS X, (even AIX), I can restore the entire machine from bare metal. Linux, it requires offline imaging to do that. However, for vital data files, Linux does have some very workable solutions that provide security (encryption), deduplication, and ability for multiple hosts to deduplicate. obnam, duplicity, attic, and bup come to mind. So, one can reinstall/rebuild a Linux machine, reload packages, toss on the configs, and restore data as an alternative to a bare metal restore.

Of course, ransomware tosses a wrench into this. If the software can corrupt backups, the simple "just consider the ransomware attack just a data loss, restore and go on" may not be doable, especially if it is smart enough to silently erase tapes, zero out backup repositories on disks, or encrypt data going on the backups without notice.

The best defenses against ransomware and its ability to corrupt backups over time is a "pull" based backup system, checking backups with test restores, and having varying retention periods. Software-wise, Backup exec, Microsoft DPM, Retrospect, BRU, and on a smaller scale, Windows Server Fundamentals come to mind. Malware might be able to keep the client from doing backups, but data already stored on the server can't be altered, and if a test verify/restore shows gibberish where a critical Excel file should be, that will be a telltale sign that something is up.

For home users, a dedicated tape silo or an Avamar appliance may be out of the question. However, there are NAS offerings which are starting to do more than just serve CIFS. Synology's offerings appear to have pull based backup software. Apple's Time Capsule has archive functionality, allowing one to attach an external HDD, have the TC dump the contents of the internal drive to it, then unplug the external drive and toss it offsite.

Cloud storage is also an alternative, and it should be classified as a storage medium, like CDs, hard disks, SSDs, etc. Encryption goes without saying.

Re:Tape backups

[greenfruitsalad]

let us not forget big iron also uses snapshots. thus making this encrypting thingy almost a non-problem.

Re:Tape backups

[mlwmohawk]

Backups suck! tape sucks, raid has "backed up data" but is not, it itself, a backup.

The ONLY real and reliable backup is deduplicated off-site replication, ala something like "Actifio."

Re: Tape backups

[hawguy]

They are not a "backup" unless there is something stopping them being overwritten when the main system gets fucked up. It is difficult to fuck up a tape that has been removed from a system when the shit hits. As a hosting provider near me found out in their last day of operation, an offsite mirror doesn't help when the shit hits if it just mirrors the shit and there is no offline copy of the data to restore from.
Snapshots help but there are situations where they won't be available.
Also tape is still cheap at scale. Once you have the drive the media is less than $100 for 3TB (real size not compressed) so after a point it becomes cheaper to have a real backup on tape than buying drives that are likely to be online 100% of the time and fall victim to whatever they are supposed to be saving you from.

Under what circumstances will snapshots not be available? We make snapshots every 4 hours and keep them for 3 days. Daily snaps are kept for 10 days, weekly snaps are kept for 6 weeks, and monthly snapshots are kept for 6 months. This is all done at the NAS level, application servers don't have access to the snapshots so can't modify or delete them. The primary NAS is replicated (including snapshots) to a secondary NAS (in a different building nearby), and that NAS makes weekly tape dumps that are shipped off to Iron Mountain. We've never had to recall tapes to do a restore, everything we've needed to restore was in snapshots. (we do perform quarterly test restores to make sure we can access the data if we need to). It takes several days to do a full tape backup or restore, so on-disk snapshots are much better than tape, even if tapes are relatively cheap.

It would take a pretty serious disaster or compromise to make our snapshots unavailable.

soon to be one per day

[turkeydance]

whatever the market will bear

Gathering data

Sounds like they're trying to figure out how far their ransomware can get into various networks and environments. See who they hit and do a more invasive hack/extortion later for big money.

A low price is not a bad thing.

[sims+2]

However 1 bitcoin is roughly $400. While still less than 10 bitcoins its not nothing either.

Re:A low price is not a bad thing.

[sound+vision]

They could be betting that, at a lower price, more people will be willing to cough it up for the data. The first thing to consider is that real professionals won't be affected by this type of thing - they store separate backups on another server (or offline entirely) and so would just restore the data from the backup.

Having worked for a web hosting company for a couple of years, I envision this being the scenario the ransomware makes the most money from:
(1). Ransomware encrypts (say) the web site of a small business owner or independent realtor.
(2). Realtor doesn't notice the site is down for a week or two, by which time the free backup from their cheapo hosting plan has been overwritten with an infected copy.
(3). Having no backup, realtor is faced with a decision to either pay $800 to have the site recreated by a web dev, or $300 in BTC to pay the ransom.
$300 If they wanted 10 BTC, it would be more cost-effective to just build the site again, netting the ransomers nothing.

Re:A low price is not a bad thing.

[olsmeister]

If they don't notice for two weeks that their site is down, I'm not sure they should be wasting their money on either option.

Re:A low price is not a bad thing.

If you pay once, they will certainly try to re-infect your system, or simply keep the ransomware in place, or not do anything at all except ask for the next payment.

Re:A low price is not a bad thing.

[KGIII]

Rudyard Kipling has something to say on the subject of paying Dane-geld. Basically, if you pay the Dane-geld, you'll never be rid of the Dane.

Re:A low price is not a bad thing.

[f3rret]

Rudyard Kipling has something to say on the subject of paying Dane-geld. Basically, if you pay the Dane-geld, you'll never be rid of the Dane.

As a Dane, I find this incredibly racist.
We're a very polite people who would never outstay their welcome.

Re:A low price is not a bad thing.

[KGIII]

Well, your signature is appropriate.

Re:A low price is not a bad thing.

[sound+vision]

These people waste money on stuff all the time. What they should be doing isn't relevant.

Re:A low price is not a bad thing.

the colonisation of England would seem to disagree with you.

Re:A low price is not a bad thing.

[dl_sledding]

... The first thing to consider is that real professionals won't be affected by this type of thing - they ensure their filesystem is properly permissioned (as per reams of security best practices) to prevent this attack.

FTFY

The rest of your post is irrelevant if this. Because the site would not go down due to incompetence of the SA.

Re:A low price is not a bad thing.

Why? A realtor or small company is likely to have a website with static content, explaining what they do, where to find them, how to get ahold of them, and what their hours are. Sometimes, they'll even explain the products in detail.

If you aren't changing your products, hours, location, or phone number every couple of days, you aren't visiting your own site.

A site like that is still plenty useful and rather common. I would likely not bother patronizing someone who didn't bother with this small effort.

The attackers are hoping for volume

[CajunArson]

The relatively low price is designed to make it too much of a hassle for the victims to contact the police, lawyers, etc. etc. in an effort to track down and stop the perpetrators.

They are probably hoping for higher volumes of payment from a lot of people instead of trying to go all Hollywood and ask for some insane amount of money that would make bringing in the cops worthwhile.

A nice low number

[mhkohne]

That low ransom makes it REALLY easy for the business to justify just paying them off, instead of spending the time to deal with the problem in a different way. It's even small enough that a lower level manager who doesn't want to get fired for having screwed up and let this happen might pay it himself to keep from looking bad, which means that no one else in the organization might be informed.

If the malware can get enough traction, it could still bring in the big bucks over time.

Re:A nice low number

I'm pretty sure ransomware is only going to gain ground over time. There are just so many places to inject malware, and so many places to deny access to needed resources. Couple this with the disinterest that a lot of businesses have with security, and this only will become more common:

1: A lot of Windows admins run with their daily user with full Domain or Enterprise Admin rights (as opposed to having one user for daily items, and an admin user for admin tasks). If some software gets the ability to run in their user context, the software now owns the forest/domain/tree, and can easily push itself to other hosts, change passwords, destroy/encrypt backups and many other things. With Windows Server 2016, there is a concept of shielded VMs that, if one wants to access them, requires access to an AD domain. If malware can lock that out, it can grind an entire VM farm or private cloud to a halt until the ransom is paid.

2: Malware that sticks around is going to become more lucrative over time. Stuff that sits on a Linux machine and logs keystrokes, then is able to use that info to bounce into other machines (especially if they were logged in as root.) Once with root, it isn't hard to toss in a kernel model that makes itself invisible.

3: Malware that flashes code into the BIOS of various components. Similar to how LoJack for Laptops has hooks in BIOS to automatically install itself on Windows, even though the HDD was replaced. It wouldn't be hard to demand ransom, or else all devices will just stop working at a certain time. Annoying if it was a cheap USB keyboard, potentially business-killing if it is the BIOS for a very expensive vertical market appliance cluster.

How can this be prevented?

What malware relies on, is island-hopping. A web browser or add-on gives the malware a limited context. It finds another hole to establish unfettered access as that user. Since the user has admin rights, the malware now locate the DCs and inject code there. To fight against this, separation is needed.

If the Web browser that was compromised was in a VM or sandbox, the malware would be contained to that and not be able to go anywhere. Similar if the user was an unprivileged user, some nefarious task likely would get caught by an audit log.

Virtualization comes to mind. At the minimum, it isolates the physical hardware. Rogue attempts at flashing drive firmware are mitigated when there is none of that available via the virtual disk. Accessing the USB controller on a keyboard is negated when the VM hands over PS/2 functionality. It also isolates what the bad stuff is able to do. Plus, it also provides snapshot functionality, which is useful for forensics, as well as allowing for a quick revert to a pre-infected state [1].

[1]: For example, if one has VMs that are static (web servers serving data from a lsynced directory or varnish cache), it might be wise to revert them to where they were right after they were previously patched, then apply the next around of patches. That way, anything that might be on there that shouldn't, would be removed.)

We're at war... and we're losing

[ka9dgx]

Consider yourself in a cyber-war... any line of program you run on your computer can be turned against you... why do you trust any of it with your full authority?

Because you don't have a choice, your OS doesn't give you one. Read up on the principle of least privilege, and the ambient authority model we currently use.

Re:We're at war... and we're losing

[Khashishi]

You do have a choice though. You can use BSD.

Re:We're at war... and we're losing

[iggymanz]

This particular malware is a C program that must be run as root to do its damage. I'm sure porting it to BSD and running it as root would be just as bad there as on Linux

Git's not backup.

[phantomfive]

Not long ago someone was trying to convince me that git is an acceptable backup for your code, because it's distributed, so you don't need any other backups.

This story is another reminder that Git is not a backup. (As the older saying went, "RAID is not backup"). Mirroring is not a backup either, for similar reasons.

Re:Git's not backup.

Given git's model, every developer has a full copy of the entire history. Sounds like a great backup to me.

Re:Git's not backup.

git push --force

Re:Git's not backup.

As a backup system, git works better than dropbox. I was surprised the first time I saw people working on the same code by using the same dropbox folder and despite claims otherwise, I still don't trust such an approach. Unsurprisingly the code had a bunch of "this used to work, but it doesn't anymore and nobody knows why", yet they still failed to see the benefit of revisions. Sadly I have since seen other people use the same approach, though none of them did professional work.

I would argue that git is a backup system if (and only if) you pull the source to a drive, which is backed up by a regular backup system, though then it argubly isn't git itself, which is the backup system. Git itself does backup in case of sudden disk failure, but ransomware and other nasty issues... not really, or at least not reliably enough to trust it.

Re:Git's not backup.

[phantomfive]

As a backup system, git works better than dropbox.

yes lol, absolutely

Re:Git's not backup.

git config --system receive.denyNonFastForwards true

Re:Git's not backup.

[stridebird]

So what? So I then pull [*] your rewritten history, and what do i get? A merge. I look at this merge, decide it is a load of bollocks, and blow it away.
Git is a very fine backup.

[*] except of course I don't pull. I fetch, every time.

Re:Git's not backup.

[*] except of course I don't pull. I fetch, every time.

You misspelled "git pull --ff-only"

Why a single bitcoin? To hide among the flock.

[Cruciform]

A single bitcoin is likely to be a very common kind of transaction.
Remember the Ashleigh Madison blackmailers who were asking for very specific amounts, which allowed multiple transactions to multiple bitcoin addresses to be grouped together by those investigating?
It would be much harder to associate all those wallets if they were for an amount that's commonly used.

Re:Why a single bitcoin? To hide among the flock.

[ttucker]

Business environment is also kind of why the price is so low. Most of the time they are ransoming a little downtime while restoring a backup, not priceless data.

What's The Vector, Victor?

How does this malware spread? How does it get on the servers? How does it get executed?

If it relies on some idiot to run it as root, I just can;t see it as a real threat. If it's coming in via a distro's updates, well that would be... exciting.

Re:What's The Vector, Victor?

[See+Attached]

Is this a sales play from DrWeb? I can make a KSH called /tmp/ls that does the same thing....

Re:What's The Vector, Victor?

[DigiShaman]

As of a few days ago, Cryptowall 4.0 has been released. Version 3.0 caused over 320 million in damages so far. This thing infects via spammed e-mail attachments, Flash, JS exploits, and MS Word / Excel documents containing instructions on allowing an untrusted macro (virus). Aside from proper lock-down of a Windows network and blocking file attachments, I'm real curious as to how all these ad servers are getting infected? These drive-by-downloads are nasty. AKA "malvertisements".

Cryptowall is perhaps the most professionally engineered, crafted, and ran operation of malware in the history of computing in that if anything is going to crash the web and fold companies, this fucker will do it!!!

Re:What's The Vector, Victor?

[See+Attached]

That is the exposure to be concerned with.. how does it get a foot hold on a server? What it does, is after the FAIL.

Re:What's The Vector, Victor?

If it requires someone to run it with admin privileges, the server already has a bigger threat than the ransomware!

Re: What's The Vector, Victor?

[Redmancometh]

None of these are things you can even do on a nix server. Also...js? You mean java?
Cache poisoning itself doesnt infect you.

Re:What's The Vector, Victor?

[Barsteward]

Possibly, there is nothing on their site to say how its "delivered", sounds like another proof of concept

Re: What's The Vector, Victor?

[DigiShaman]

JS, as in JavaScript. Though I suppose technically this would be a browser vulnerability for allowing it to happen?

Re: What's The Vector, Victor?

[Redmancometh]

Javascript doesn't attack a browser in the classical sense. The way you cause damage with JS is poisoning the browser's cache. So you add something sketchy to the cached version of a given webpage.

The classical route of this attack is a proxy that injects code to cache sketchy objects on top of the cache of any page visited. The cache expiration is set to something ridiculously high, so it's not removed without clearing the cache.

So for example injecting an ad that wasn't there before into youtube, slashdot, etc. Every time the user loads the page they load your ad, and get you an impression.

So yes this is strictly limited to browsers, and even within the browser is quite limited.

I asked if you meant Java, because there have been attacks in Java that can escape the browser sandbox and modify system files. Potentially java could be used to infect a server via a means besides a browser.

Flash is not on servers, no one checks email on servers, and no one views word/excel documents on a server. Word/excel files may be "viewed" on a server, but that would be for processing. In which case they would be accessed using something like the mono interop API (C#) or Apache tika/POI. So embedded bytecode wouldn't be executed.

I suppose these things could happen on a windows servers, but if you're admin is browsing and checking his email on a server...ffs

Inflation

[Tablizer]

a fairly low amount compared to other ransomware.

It's Dr. Evil, from the 1960's.

Never negotiate with terrorists

Anyone that pays should be charged with aiding terrorists.

Insert free advert for Dr.Web Anti-virus ..

[nickweller]

"Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands"

backup

[fluffernutter]

1. There is no reason to have anything rinning as root
2. There is no reason to run any non-os command as root
3. it takes 45 mins at most to reimage a server and redeploy from backup

The people who get this are asking for it. Its like the internet startup darwin awards.

Re:backup

[TeknoHog]

1. There is no reason to have anything rinning as root

I'm afraid you just misspelled "rimming".

Re:backup

> 1. There is no reason to have anything rinning as root

sshd pretty much always *has* to be able to switch to any user on the system. You can't do this on a Linux box unless you're either root, or have sudo configured to let you switch to any user in the system.

*getty, cron, samba (most of the time) all need to run as root because they either need to do root-like things (*getty), or act as most any other user in the system (all the others).

> 2. There is no reason to run any non-os command as root

Ping -on most (all?) Linux systems- *has* to run as root. That's why it's suid root. There are other examples where you need to run one thing or another with root or root-alike privs. Most (all?) daemons that bind to a low port start as root bind the port and grab whatever else they need, then switch to another user.

If you think that you're designing something that *has* to run as root, check your assumptions again to see if there's a way around this requirement. Then re-check. Then re-check them a third, fourth, and fifth time. Running as root is something that should be avoided whenever possible, but sometimes running as root is *unavoidable*.

Re:backup

Why is root even an account then? Obviously UNIX was designed poorly.

Re: backup

[Redmancometh]

All of those services you configure, run as root, then they are running as services. Its not like you start sshd or cron up everyday. Hell, starting things up often is cron's purpose.

Also ping can be replaced with a script...tcp doesnt need root.

Re:backup

[jddj]

"1. There is no reason to have anything r[u]nning as root"

Is that supposed to include the OS processes and services? 'cuz there's a ton of them on a server I work with.

I can see how I'd (begin to) secure anything I'd installed from running on root - and probably differently for each app/service. But what am I to do about the OS itself?

Or perhaps point 1 was stated with less precision than I'd imagine. (not being sarcastic - really wanna know).

Ho-Bloody-Hum

Gee - a Linux virus that requires "administrator" (I guess they mean "root", but they're most likely Windoze people, so don't have much idea) privileges to run. I can't imagine this being some kind of marketing exercise. Not on an anti-virus venor's web site. Oh no.

I've done a quick Google, but can't find any mention anywhere of how the user is actually tricked into running this program/script as root. And that's the point - nearly everyone administering a reasonable size web-server or servers is going to be savvy enough to check before running something as root (and it *did* say Trojan in TFA, so it's not some other kind of exploit). And for the idiots who *do* run this as root - it's a good learning exercise !

Re:Ho-Bloody-Hum

[LVSlushdat]

Not to mention any SERIOUS webhost is NOT going to be running Gnome/KDE/whatever, so the usual "infection vector", namely the browser (FF/Chrome) is not present and therefore is not going to be able to do its dirty work.. Frankly, I can't really imagine *how* this malware would get onto a properly setup Linux-based webhost.. Perhaps I'm missing something, after all I've only been using Linux professionally since 1994 or so...

Re:Ho-Bloody-Hum

[tlhIngan]

Not to mention any SERIOUS webhost is NOT going to be running Gnome/KDE/whatever, so the usual "infection vector", namely the browser (FF/Chrome) is not present and therefore is not going to be able to do its dirty work.. Frankly, I can't really imagine *how* this malware would get onto a properly setup Linux-based webhost.. Perhaps I'm missing something, after all I've only been using Linux professionally since 1994 or so...

Easy - piracy.

You have to remember a properly secured webhost would mean the instances are separated from each other, but an infected instance can will wreak damage on the instance its on. (And more malware these days are user-space based - sure it's harder to hide, but sometimes... why bother?).

And what are people pirating? Well, think of things like "premium" themes for stuff like WordPress and other things people buy crap for.

And this doesn't exclude the piracy of stuff like monitoring tools and other such things because the company refuses to pay for it.

Dummies.

eg. from this article...
http://www.securityweek.com/file-encrypting-ransomware-targets-linux-users

It’s unclear at this point how the malware is distributed and installed on victims’ computers

eg. from this article...
http://securityaffairs.co/wordpress/41787/cyber-crime/linux-ransomware.html

Linux ransomware already infected at least tens of users

So nobody knows how this mysterious trojan gets run as root on web servers. No mention of what distro is affected, if this story is legit. Realize there are actual proprietary OS companies who pay to shill. The fact that Linux is better and open source and free makes Windows and Apple look stupid. So does it make sense they want to discredit Linux? FUD about web servers?

Wait for an actual legit demonstration of how this "ransomware trojan" infects a web server. I mean other than some tweak got paid a few bucks to write a script and give it to his gamer buddies in Russia to run as root @ localhot.

Read even this.
https://en.wikipedia.org/wiki/Linux_malware

Worms and targeted attacks

The classical threat to Unix-like systems is vulnerabilities in network daemons, such as SSH and web servers. These can be used by worms or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords.

Threats

The following is a partial list of known Linux malware. However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat. Known malware is not the only or even the most important threat: new malware or attacks directed to specific sites can use vulnerabilities previously unknown to the community or unused by malware.

So don't believe the hype. If this story is legit at all, it will be scrutinized 100% and all possible methods of injection will be considered by one hell of a lot of smart people. The code is open source.

Re:Dummies.

The code is open source.

So is OpenSSL and look what was going on FOR YEARS, on helluva huge number of machines, before it being noticed.

So is bash and look what was going on FOR YEARS, on helluva huge number of machines, before it being noticed.

Re: Dummies.

I agree, this is probably FUD being spread related to the M$ Azure/Red Hat Apache notice for a few days ago.

Re:Dummies.

Shut up dummy.

http://tech.slashdot.org/story/15/11/08/2334257/wordpress-now-powers-25-of-the-web

http://toolbar.netcraft.com/site_report?url=wordpress.com
http://toolbar.netcraft.com/site_report?url=wordpress.org
http://toolbar.netcraft.com/site_report?url=www.akamai.com
http://toolbar.netcraft.com/site_report?url=www.microsoft.com
http://toolbar.netcraft.com/site_report?url=www.apple.com

All on Linux, and that's just a fraction. Amazon... etc... 97% of supercomputers... the International Space Station... NASA... etc etc. Cyberspace is vastly open source. Androids. SteamOS really soon (like 24 hours or so from now). Routers. PS4 uses a customized BSD kernel. Netflix runs on BSD. etc etc. Smart TV's? Linux. Much open source around.

and look what was going on FOR YEARS

Closed source has been hacked cracked and bot-netted so many ways for so long already by people ages 10+. Probably younger.

ALL CAPS for years, helluva ALL CAPS for years.

Re:You have to catch it 1st: I don't let you

Dude! People will take you more seriously if you don't act retarded. Seriously, post once then end it.

Re:You have to catch it 1st: I don't let you

Douche! Nobody takes you seriously as you are retarded. Downmod once then end it.

This may be a good thing

It may get people to write a script that will)
1. Snapshot their server and application configuration
2. Backup database and server data
3. Be able to backup/restore in the case of full data loss
4. Apply security properly

For $400 you could buy an external hdd and mirror a small server.

Re:This may be a good thing

What people? Sadly, the increasing number of "admins" are people who get a five buck droplet and one-click an application, completely oblivious to proper security practices. I know a few who never update their systems not even knowing how to do that.

And then you have idiots who by some weird chance became the authors of leading open source project accepted by almost all Linux distros, idots who are then convincing the general public, with a straight face, that log corruption is normal and there's nothing to do about it, just rotate it out.

Such interesting times ahead of us... I'll be sitting at my ancient, luddite FreeBSD console, eating popcorn and laughing as you noobs pay me for the proper backup service and cleanup after you get pwned.

encrypt files that are related to Web hosting?

I do that all the time and incidentally back it up.
I use Linux.
Why do I need ransomware to do it for me?

Improper system conf by noobs

Root should be used as a service account, not for interactive logins. Sadly, systemd will probably be the most common fix for Linux.

The design of Unix is 40+ yrs old now. It was designed for a different time and that design has held up fairly well, unlike any other OS made. Even MVS has a system account. There is always a trade-off between security and convenience.

Tools like apparmor and SELinux, when actually used, make issues like this impossible. However, most noobs simply disable these tools.

Most security issues on Unix are caused by noobs not managing their configurations correctly.

Most security issues on Windows are caused by Microsoft, Oracle and Adobe.

Looks like an advertisement

[ebvwfbw]

For Dr. Web anti virus crap.

Once again, if you bypass all the security as only a complete idiot would do, Unix is vulnerable.

What will happen if....

you download Dr. Web's anti-virus and execute it as 'root'??

You have to catch it 1st: I don't let you

See subject - what can't touch you can't hurt you via APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

---

FREE & not 'souled-out' to advertisers + adds speed, security & reliability & does FAR more w/ FAR less more efficiently vs. redundant browser addons & locally installed DNS servers @ home + fixes DNS' many security issues & it stops a LOT of tracking @ webpage + DNS levels combined too from 1 file you already NATIVELY have - firewalls do the rest (on lesser used IP address based tracking vs. host-domain name type).

---

It obtains data vs. online threats & for adbanner blocking from 10 reputable sites in the security community!

---

It SPEEDS YOU UP 2 ways (adblocking + locally cached in RAM favorites placed @ the TOP of hosts for fastest resolution speed vs. remote DNS also aiding reliability) vs. other "so-called security 'solutions'" SLOWING YOU!

---

It does all that via something you natively have vs. "bolting on browser addons 'MOAR'" that's usermode slower & increases messagepassing, cpu + ram overheads!

---

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

&

It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

+

In its 32-bit model too https://www.virustotal.com/en/...

---

* "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

APK

P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

"The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!

(Accept NO substitutes!)

...apk

Some good news!

The guys at BitDefender have managed to find a weakness in the encryption process implemented by this ransomware.

http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/

They provide a python script to decrypt previously encrypted files. Hopefully this can help someone, assuming they aren't infected by the next version without this bug.

Linux has problems and low comments in /.

When Linux seems to be vulnerable, look at the comment numbers. a low number. Time for BSD's to punch in