Ransomware Found Targeting Linux Servers, MySQL, Git, Other Development Files

An anonymous reader writes: A new piece of ransomware has been discovered that targets Linux servers, looking to encrypt only files that are related to Web hosting, Web servers, MySQL, Subversion, Git, and other technologies used in Web development and HTTP servers. Weirdly, despite targeting business environments, the ransomware only asks for 1 Bitcoin, a fairly low amount compared to other ransomware.

Root

"Once launched with administrator privileges..."

Well, there's your problem.

Re:Root

[BostjanSkufca]

"Once launched with administrator privileges..."

Well, there's your problem.

This rarely happens, as it seems. I hope, at least.

However, once someone figures out that common PHP applications, which are currently mostly exploited for sending spam and distributing malware, can be abused in this crypto-ransom fashion, some "interesting" times will follow. Specially vulnerable deployments are those where the very same user that owns executable files is used for running that application too (I am looking at your defaults, cPanel), or, to a lesser extent, applications that permit executable code in some writeable directories.

I guess encrypting application code will not be THAT problematic, but encrypting database content is another matter altogether.

Hosting companies raising backup restore prices in 3, 2, 1...

Tape backups

[Billly+Gates]

Unlike desktops big iron use tape and raid backups

Re:Tape backups

Unlike desktops big iron use tape and raid backups

Raid is not a backup.

Re:Tape backups

RAID would simply increase the speed of encryption.

Re:Tape backups

Oh shut the fuck up. RAID is not a backup. Tape is. A second drive stored offsite is. Guess what happens if ransomware encrypts your data on the RAID? It gets written, encrypted, to both of your goddamned RAID disks. Then you restore off of an actual backup and move on. But RAID sure as shit isn't.

Re: Tape backups

[Striikerr]

I would imagine that he meant that larger companies use virtual tape libraries (comprised of hard drives) or use backup systems which write to an array of hard drives instead of tape. These are great for fast backups and restoration of data. Pushing offsite via replication provides the offsite backups.

Re: Tape backups

They are not a "backup" unless there is something stopping them being overwritten when the main system gets fucked up. It is difficult to fuck up a tape that has been removed from a system when the shit hits. As a hosting provider near me found out in their last day of operation, an offsite mirror doesn't help when the shit hits if it just mirrors the shit and there is no offline copy of the data to restore from.
Snapshots help but there are situations where they won't be available.
Also tape is still cheap at scale. Once you have the drive the media is less than $100 for 3TB (real size not compressed) so after a point it becomes cheaper to have a real backup on tape than buying drives that are likely to be online 100% of the time and fall victim to whatever they are supposed to be saving you from.

Re:Tape backups

[greenfruitsalad]

let us not forget big iron also uses snapshots. thus making this encrypting thingy almost a non-problem.

Re:Tape backups

[mlwmohawk]

Backups suck! tape sucks, raid has "backed up data" but is not, it itself, a backup.

The ONLY real and reliable backup is deduplicated off-site replication, ala something like "Actifio."

Re: Tape backups

[hawguy]

They are not a "backup" unless there is something stopping them being overwritten when the main system gets fucked up. It is difficult to fuck up a tape that has been removed from a system when the shit hits. As a hosting provider near me found out in their last day of operation, an offsite mirror doesn't help when the shit hits if it just mirrors the shit and there is no offline copy of the data to restore from.
Snapshots help but there are situations where they won't be available.
Also tape is still cheap at scale. Once you have the drive the media is less than $100 for 3TB (real size not compressed) so after a point it becomes cheaper to have a real backup on tape than buying drives that are likely to be online 100% of the time and fall victim to whatever they are supposed to be saving you from.

Under what circumstances will snapshots not be available? We make snapshots every 4 hours and keep them for 3 days. Daily snaps are kept for 10 days, weekly snaps are kept for 6 weeks, and monthly snapshots are kept for 6 months. This is all done at the NAS level, application servers don't have access to the snapshots so can't modify or delete them. The primary NAS is replicated (including snapshots) to a secondary NAS (in a different building nearby), and that NAS makes weekly tape dumps that are shipped off to Iron Mountain. We've never had to recall tapes to do a restore, everything we've needed to restore was in snapshots. (we do perform quarterly test restores to make sure we can access the data if we need to). It takes several days to do a full tape backup or restore, so on-disk snapshots are much better than tape, even if tapes are relatively cheap.

It would take a pretty serious disaster or compromise to make our snapshots unavailable.

soon to be one per day

[turkeydance]

whatever the market will bear

Gathering data

Sounds like they're trying to figure out how far their ransomware can get into various networks and environments. See who they hit and do a more invasive hack/extortion later for big money.

A low price is not a bad thing.

[sims+2]

However 1 bitcoin is roughly $400. While still less than 10 bitcoins its not nothing either.

Re:A low price is not a bad thing.

[sound+vision]

They could be betting that, at a lower price, more people will be willing to cough it up for the data. The first thing to consider is that real professionals won't be affected by this type of thing - they store separate backups on another server (or offline entirely) and so would just restore the data from the backup.

Having worked for a web hosting company for a couple of years, I envision this being the scenario the ransomware makes the most money from:
(1). Ransomware encrypts (say) the web site of a small business owner or independent realtor.
(2). Realtor doesn't notice the site is down for a week or two, by which time the free backup from their cheapo hosting plan has been overwritten with an infected copy.
(3). Having no backup, realtor is faced with a decision to either pay $800 to have the site recreated by a web dev, or $300 in BTC to pay the ransom.
$300 If they wanted 10 BTC, it would be more cost-effective to just build the site again, netting the ransomers nothing.

Re:A low price is not a bad thing.

[olsmeister]

If they don't notice for two weeks that their site is down, I'm not sure they should be wasting their money on either option.

Re:A low price is not a bad thing.

[KGIII]

Rudyard Kipling has something to say on the subject of paying Dane-geld. Basically, if you pay the Dane-geld, you'll never be rid of the Dane.

Re:A low price is not a bad thing.

[f3rret]

Rudyard Kipling has something to say on the subject of paying Dane-geld. Basically, if you pay the Dane-geld, you'll never be rid of the Dane.

As a Dane, I find this incredibly racist.
We're a very polite people who would never outstay their welcome.

Re:A low price is not a bad thing.

[KGIII]

Well, your signature is appropriate.

Re:A low price is not a bad thing.

[sound+vision]

These people waste money on stuff all the time. What they should be doing isn't relevant.

Re:A low price is not a bad thing.

[dl_sledding]

... The first thing to consider is that real professionals won't be affected by this type of thing - they ensure their filesystem is properly permissioned (as per reams of security best practices) to prevent this attack.

FTFY

The rest of your post is irrelevant if this. Because the site would not go down due to incompetence of the SA.

The attackers are hoping for volume

[CajunArson]

The relatively low price is designed to make it too much of a hassle for the victims to contact the police, lawyers, etc. etc. in an effort to track down and stop the perpetrators.

They are probably hoping for higher volumes of payment from a lot of people instead of trying to go all Hollywood and ask for some insane amount of money that would make bringing in the cops worthwhile.

A nice low number

[mhkohne]

That low ransom makes it REALLY easy for the business to justify just paying them off, instead of spending the time to deal with the problem in a different way. It's even small enough that a lower level manager who doesn't want to get fired for having screwed up and let this happen might pay it himself to keep from looking bad, which means that no one else in the organization might be informed.

If the malware can get enough traction, it could still bring in the big bucks over time.

We're at war... and we're losing

[ka9dgx]

Consider yourself in a cyber-war... any line of program you run on your computer can be turned against you... why do you trust any of it with your full authority?

Because you don't have a choice, your OS doesn't give you one. Read up on the principle of least privilege, and the ambient authority model we currently use.

Re:We're at war... and we're losing

[Khashishi]

You do have a choice though. You can use BSD.

Re:We're at war... and we're losing

[iggymanz]

This particular malware is a C program that must be run as root to do its damage. I'm sure porting it to BSD and running it as root would be just as bad there as on Linux

Git's not backup.

[phantomfive]

Not long ago someone was trying to convince me that git is an acceptable backup for your code, because it's distributed, so you don't need any other backups.

This story is another reminder that Git is not a backup. (As the older saying went, "RAID is not backup"). Mirroring is not a backup either, for similar reasons.

Re:Git's not backup.

Given git's model, every developer has a full copy of the entire history. Sounds like a great backup to me.

Re:Git's not backup.

[phantomfive]

As a backup system, git works better than dropbox.

yes lol, absolutely

Re:Git's not backup.

[stridebird]

So what? So I then pull [*] your rewritten history, and what do i get? A merge. I look at this merge, decide it is a load of bollocks, and blow it away.
Git is a very fine backup.

[*] except of course I don't pull. I fetch, every time.

Why a single bitcoin? To hide among the flock.

[Cruciform]

A single bitcoin is likely to be a very common kind of transaction.
Remember the Ashleigh Madison blackmailers who were asking for very specific amounts, which allowed multiple transactions to multiple bitcoin addresses to be grouped together by those investigating?
It would be much harder to associate all those wallets if they were for an amount that's commonly used.

Re:Why a single bitcoin? To hide among the flock.

[ttucker]

Business environment is also kind of why the price is so low. Most of the time they are ransoming a little downtime while restoring a backup, not priceless data.

What's The Vector, Victor?

How does this malware spread? How does it get on the servers? How does it get executed?

If it relies on some idiot to run it as root, I just can;t see it as a real threat. If it's coming in via a distro's updates, well that would be... exciting.

Re:What's The Vector, Victor?

[See+Attached]

Is this a sales play from DrWeb? I can make a KSH called /tmp/ls that does the same thing....

Re:What's The Vector, Victor?

[DigiShaman]

As of a few days ago, Cryptowall 4.0 has been released. Version 3.0 caused over 320 million in damages so far. This thing infects via spammed e-mail attachments, Flash, JS exploits, and MS Word / Excel documents containing instructions on allowing an untrusted macro (virus). Aside from proper lock-down of a Windows network and blocking file attachments, I'm real curious as to how all these ad servers are getting infected? These drive-by-downloads are nasty. AKA "malvertisements".

Cryptowall is perhaps the most professionally engineered, crafted, and ran operation of malware in the history of computing in that if anything is going to crash the web and fold companies, this fucker will do it!!!

Re:What's The Vector, Victor?

[See+Attached]

That is the exposure to be concerned with.. how does it get a foot hold on a server? What it does, is after the FAIL.

Re: What's The Vector, Victor?

[Redmancometh]

None of these are things you can even do on a nix server. Also...js? You mean java?
Cache poisoning itself doesnt infect you.

Re:What's The Vector, Victor?

[Barsteward]

Possibly, there is nothing on their site to say how its "delivered", sounds like another proof of concept

Re: What's The Vector, Victor?

[DigiShaman]

JS, as in JavaScript. Though I suppose technically this would be a browser vulnerability for allowing it to happen?

Re: What's The Vector, Victor?

[Redmancometh]

Javascript doesn't attack a browser in the classical sense. The way you cause damage with JS is poisoning the browser's cache. So you add something sketchy to the cached version of a given webpage.

The classical route of this attack is a proxy that injects code to cache sketchy objects on top of the cache of any page visited. The cache expiration is set to something ridiculously high, so it's not removed without clearing the cache.

So for example injecting an ad that wasn't there before into youtube, slashdot, etc. Every time the user loads the page they load your ad, and get you an impression.

So yes this is strictly limited to browsers, and even within the browser is quite limited.

I asked if you meant Java, because there have been attacks in Java that can escape the browser sandbox and modify system files. Potentially java could be used to infect a server via a means besides a browser.

Flash is not on servers, no one checks email on servers, and no one views word/excel documents on a server. Word/excel files may be "viewed" on a server, but that would be for processing. In which case they would be accessed using something like the mono interop API (C#) or Apache tika/POI. So embedded bytecode wouldn't be executed.

I suppose these things could happen on a windows servers, but if you're admin is browsing and checking his email on a server...ffs

Inflation

[Tablizer]

a fairly low amount compared to other ransomware.

It's Dr. Evil, from the 1960's.

Insert free advert for Dr.Web Anti-virus ..

[nickweller]

"Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands"

backup

[fluffernutter]

1. There is no reason to have anything rinning as root
2. There is no reason to run any non-os command as root
3. it takes 45 mins at most to reimage a server and redeploy from backup

The people who get this are asking for it. Its like the internet startup darwin awards.

Re:backup

[TeknoHog]

1. There is no reason to have anything rinning as root

I'm afraid you just misspelled "rimming".

Re: backup

[Redmancometh]

All of those services you configure, run as root, then they are running as services. Its not like you start sshd or cron up everyday. Hell, starting things up often is cron's purpose.

Also ping can be replaced with a script...tcp doesnt need root.

Re:backup

[jddj]

"1. There is no reason to have anything r[u]nning as root"

Is that supposed to include the OS processes and services? 'cuz there's a ton of them on a server I work with.

I can see how I'd (begin to) secure anything I'd installed from running on root - and probably differently for each app/service. But what am I to do about the OS itself?

Or perhaps point 1 was stated with less precision than I'd imagine. (not being sarcastic - really wanna know).

Dummies.

eg. from this article...
http://www.securityweek.com/file-encrypting-ransomware-targets-linux-users

It’s unclear at this point how the malware is distributed and installed on victims’ computers

eg. from this article...
http://securityaffairs.co/wordpress/41787/cyber-crime/linux-ransomware.html

Linux ransomware already infected at least tens of users

So nobody knows how this mysterious trojan gets run as root on web servers. No mention of what distro is affected, if this story is legit. Realize there are actual proprietary OS companies who pay to shill. The fact that Linux is better and open source and free makes Windows and Apple look stupid. So does it make sense they want to discredit Linux? FUD about web servers?

Wait for an actual legit demonstration of how this "ransomware trojan" infects a web server. I mean other than some tweak got paid a few bucks to write a script and give it to his gamer buddies in Russia to run as root @ localhot.

Read even this.
https://en.wikipedia.org/wiki/Linux_malware

Worms and targeted attacks

The classical threat to Unix-like systems is vulnerabilities in network daemons, such as SSH and web servers. These can be used by worms or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords.

Threats

The following is a partial list of known Linux malware. However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat. Known malware is not the only or even the most important threat: new malware or attacks directed to specific sites can use vulnerabilities previously unknown to the community or unused by malware.

So don't believe the hype. If this story is legit at all, it will be scrutinized 100% and all possible methods of injection will be considered by one hell of a lot of smart people. The code is open source.

Re:Ho-Bloody-Hum

[LVSlushdat]

Not to mention any SERIOUS webhost is NOT going to be running Gnome/KDE/whatever, so the usual "infection vector", namely the browser (FF/Chrome) is not present and therefore is not going to be able to do its dirty work.. Frankly, I can't really imagine *how* this malware would get onto a properly setup Linux-based webhost.. Perhaps I'm missing something, after all I've only been using Linux professionally since 1994 or so...

Looks like an advertisement

[ebvwfbw]

For Dr. Web anti virus crap.

Once again, if you bypass all the security as only a complete idiot would do, Unix is vulnerable.

Re:Shit.

[greenfruitsalad]

until we type "snapper rollback ..." or "zfs rollback ...". then we can continue eating donuts and browsing slashdot.

Re:Ho-Bloody-Hum

[tlhIngan]

Not to mention any SERIOUS webhost is NOT going to be running Gnome/KDE/whatever, so the usual "infection vector", namely the browser (FF/Chrome) is not present and therefore is not going to be able to do its dirty work.. Frankly, I can't really imagine *how* this malware would get onto a properly setup Linux-based webhost.. Perhaps I'm missing something, after all I've only been using Linux professionally since 1994 or so...

Easy - piracy.

You have to remember a properly secured webhost would mean the instances are separated from each other, but an infected instance can will wreak damage on the instance its on. (And more malware these days are user-space based - sure it's harder to hide, but sometimes... why bother?).

And what are people pirating? Well, think of things like "premium" themes for stuff like WordPress and other things people buy crap for.

And this doesn't exclude the piracy of stuff like monitoring tools and other such things because the company refuses to pay for it.