For quite some time it’s been believed that ransomware seldom affects machines running Linux and even FreeBSD for that matter. Unfortunately, the KillDisk ransomware has now attacked a handful of Linux-powered machines, and it seems like even distributions that hash out the root account such as Ubuntu and its various official spins could be vulnerable. Certain computer scientists have expressed the opinion that many security threats that influenced Ubuntu somehow compromised some aspect of the Unity desktop interface, but this threat can harm even those using KDE, Xfce4, Openbox or even the completely virtual console-based Ubuntu Server.
Naturally the good common sense rules apply to fighting this type of a threat. Don’t access suspicious links in a browser and make sure to perform a malware scan on files downloaded from the Internet as well as those from email attachments. This is especially true for any executable code you’ve downloaded, though programs that come from the official repositories receive a digital signature to reduce this threat. You should always make sure to use a text editor to read the content of any script before you run it. On top of these things, there are a few specific steps you can take to protect your system from the form of KillDIsk that attacks Ubuntu.
Method 1: Hash Out the root Account
Ubuntu’s developers made a conscious decision to hash out the root account, and while this hasn’t proven totally capable of stopping this type of attack, it’s one of the primary reasons it’s been slow to harm systems. It’s possible to restore access to the root account, which is common for those who are using their machines as servers, but this does have serious consequences when it comes to security.
Some users might have issued sudo passwd and then given the root account a password they could actually use to log in from both graphical and virtual consoles. To immediately disable this functionality, use sudo passwd -l root to eliminate the root login and put Ubuntu or the spin you use back to where it was originally. When you’re asked for your password, you’ll need to actually enter your user password and not the special one that you gave to the root account, assuming that you were working from a user login.
Naturally, the best method involves never having used sudo passwd to begin with. A safer way to handle the issue is to use sudo bash to get a root account. You will be asked for your password, which again would be your user and not root password, assuming you only have one user account on your Ubuntu machine. Keep in mind that you could also get a root prompt for other shells by using sudo followed by the name of said shell. For instance, sudo tclsh creates a root shell based on a simple Tcl interpreter.
Make sure to type exit to get out of a shell once you’re done with your administration tasks, because a root user shell can delete any file on the system regardless of ownership. If you’re using a shell like tclsh and your prompt is simply a % sign, then try whoami as a command at the prompt. It should tell you exactly who you’re logged in as.
You could always use sudo rbash as well to access a restricted shell that doesn’t have as many features, and therefore provides less of a chance to cause damage. Keep in mind that these work equally well from a graphical terminal you open in your desktop environment, a full-screen graphical terminal environment or one of the six virtual consoles that Linux makes available to you. The system can’t distinguish between these different options, which means you’ll be able to make these changes from standard Ubuntu, any of the spins like Lubuntu or Kubuntu or an installation of Ubuntu Server without any graphical desktop packages.
Method 2: Check if the root Account has an Unusable Password
Run sudo passwd -S root to check if the root account has an unusable password at any time. If it does, then it will read root L in the returned output, as well as some information about the date and time the root password was closed out. This generally corresponds to when you installed Ubuntu, and can be safely ignored. If it instead reads root P, then the root account has a valid password, and you need to lock it out with the steps in Method 1.
If the output of this program reads NP, then you even more imperatively need to run sudo passwd -l root to fix the issue, since this indicates that there isn’t a root password at all and anyone including a script could get a root shell from a virtual console.
Method 3: Identifying a Compromised System from GRUB
This is the scary part, and the reason that you always need to make backups of your most important files. When you load the GNU GRUB menu, generally by pushing Esc when booting your system, you should see several different boot options. However, if you see a message spelled out where they would be, then you may be looking at a compromised machine.
Test machines compromised with the KillDisk program read something like:
*We are so sorry, but the encryption
of your data has been successfully completed,
so you can lose your data or
The message will go on to instruct you to send money to a specific address. You should reformat this machine and reinstall Linux on it. Do not reply to any of KillDisk’s threats. Not only does this only help the individuals running these kinds of schemes, but also the Linux version program actually doesn’t properly store the encryption key because of a bug. This means that there’s no way around it, even if you were to give in. Just make sure to have clean backups and you won’t have to worry about being a position like this.
