Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ransomware Found Targeting Linux Servers, MySQL, Git, Other Development Files (drweb.com)

Posted by Soulskill on from the poaching-penguins dept.

An anonymous reader writes: A new piece of ransomware has been discovered that targets Linux servers, looking to encrypt only files that are related to Web hosting, Web servers, MySQL, Subversion, Git, and other technologies used in Web development and HTTP servers. Weirdly, despite targeting business environments, the ransomware only asks for 1 Bitcoin, a fairly low amount compared to other ransomware.

13 of 93 comments (clear)

  1. Root by Anonymous Coward · · Score: 5, Informative

    "Once launched with administrator privileges..."

    Well, there's your problem.

  2. A low price is not a bad thing. by sims+2 · · Score: 4, Interesting

    However 1 bitcoin is roughly $400. While still less than 10 bitcoins its not nothing either.

    --
    Minimum threshold fixed. Thanks!
    1. Re:A low price is not a bad thing. by sound+vision · · Score: 2

      They could be betting that, at a lower price, more people will be willing to cough it up for the data. The first thing to consider is that real professionals won't be affected by this type of thing - they store separate backups on another server (or offline entirely) and so would just restore the data from the backup.

      Having worked for a web hosting company for a couple of years, I envision this being the scenario the ransomware makes the most money from:
      (1). Ransomware encrypts (say) the web site of a small business owner or independent realtor.
      (2). Realtor doesn't notice the site is down for a week or two, by which time the free backup from their cheapo hosting plan has been overwritten with an infected copy.
      (3). Having no backup, realtor is faced with a decision to either pay $800 to have the site recreated by a web dev, or $300 in BTC to pay the ransom.
      $300 If they wanted 10 BTC, it would be more cost-effective to just build the site again, netting the ransomers nothing.

  3. Re:Tape backups by Anonymous Coward · · Score: 4, Informative

    Unlike desktops big iron use tape and raid backups

    Raid is not a backup.

  4. The attackers are hoping for volume by CajunArson · · Score: 5, Insightful

    The relatively low price is designed to make it too much of a hassle for the victims to contact the police, lawyers, etc. etc. in an effort to track down and stop the perpetrators.

    They are probably hoping for higher volumes of payment from a lot of people instead of trying to go all Hollywood and ask for some insane amount of money that would make bringing in the cops worthwhile.

    --
    AntiFA: An abbreviation for Anti First Amendment.
  5. A nice low number by mhkohne · · Score: 4, Interesting

    That low ransom makes it REALLY easy for the business to justify just paying them off, instead of spending the time to deal with the problem in a different way. It's even small enough that a lower level manager who doesn't want to get fired for having screwed up and let this happen might pay it himself to keep from looking bad, which means that no one else in the organization might be informed.

    If the malware can get enough traction, it could still bring in the big bucks over time.

    --
    A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
  6. Re:Git's not backup. by Anonymous Coward · · Score: 5, Interesting

    Given git's model, every developer has a full copy of the entire history. Sounds like a great backup to me.

  7. What's The Vector, Victor? by Anonymous Coward · · Score: 3, Interesting

    How does this malware spread? How does it get on the servers? How does it get executed?

    If it relies on some idiot to run it as root, I just can;t see it as a real threat. If it's coming in via a distro's updates, well that would be... exciting.

    1. Re:What's The Vector, Victor? by See+Attached · · Score: 3, Insightful

      Is this a sales play from DrWeb? I can make a KSH called /tmp/ls that does the same thing....

      --
      Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.
  8. backup by fluffernutter · · Score: 3, Insightful

    1. There is no reason to have anything rinning as root
    2. There is no reason to run any non-os command as root
    3. it takes 45 mins at most to reimage a server and redeploy from backup

    The people who get this are asking for it. Its like the internet startup darwin awards.

    --
    Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    1. Re:backup by TeknoHog · · Score: 4, Funny

      1. There is no reason to have anything rinning as root

      I'm afraid you just misspelled "rimming".

      --
      Escher was the first MC and Giger invented the HR department.
  9. Dummies. by Anonymous Coward · · Score: 3, Interesting

    eg. from this article...
    http://www.securityweek.com/file-encrypting-ransomware-targets-linux-users

    It’s unclear at this point how the malware is distributed and installed on victims’ computers

    eg. from this article...
    http://securityaffairs.co/wordpress/41787/cyber-crime/linux-ransomware.html

    Linux ransomware already infected at least tens of users

    So nobody knows how this mysterious trojan gets run as root on web servers. No mention of what distro is affected, if this story is legit. Realize there are actual proprietary OS companies who pay to shill. The fact that Linux is better and open source and free makes Windows and Apple look stupid. So does it make sense they want to discredit Linux? FUD about web servers?

    Wait for an actual legit demonstration of how this "ransomware trojan" infects a web server. I mean other than some tweak got paid a few bucks to write a script and give it to his gamer buddies in Russia to run as root @ localhot.

    Read even this.
    https://en.wikipedia.org/wiki/Linux_malware

    Worms and targeted attacks

    The classical threat to Unix-like systems is vulnerabilities in network daemons, such as SSH and web servers. These can be used by worms or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords.

    Threats

    The following is a partial list of known Linux malware. However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat. Known malware is not the only or even the most important threat: new malware or attacks directed to specific sites can use vulnerabilities previously unknown to the community or unused by malware.

    So don't believe the hype. If this story is legit at all, it will be scrutinized 100% and all possible methods of injection will be considered by one hell of a lot of smart people. The code is open source.

  10. Re:Shit. by greenfruitsalad · · Score: 2

    until we type "snapper rollback ..." or "zfs rollback ...". then we can continue eating donuts and browsing slashdot.