Increasing attacks on Linux systems used in infrastructure and virtualization demonstrate an adaptation of cybercriminals’ tactics to changing technological environments. It highlights the need for a cross-platform approach to cybersecurity.
Historically, ransomware threats primarily affected Windows environments. However, with the growing popularity of Linux in business environments, these attacks have diversified, particularly targeting virtualization systems and applications. While the first ransomware samples dated back to 1989 and primarily targeted Windows systems, there has been a significant increase in ransomware attacks targeting Linux since 2015, particularly with the proliferation of threats since the 2020 crisis.
As the technology landscape evolves, ransomware on Linux systems is becoming more prevalent. A recent study by Check Point Research (CPR) on ransomware targeting Linux and Windows systems shows a significant evolution in the methods and targets of cyberattacks. CPR’s study analyzed twelve major ransomware families that either directly target Linux systems or have cross-platform capabilities that allow them to infect both Windows and Linux.
A 150% increase in attacks on Linux
In the first half of 2023, the study recorded a 150% increase in attacks on Linux. According to the study, the most widespread ransomware on Linux is one that targets vulnerabilities in the operating system. These vulnerabilities can be exploited by cybercriminals to take control of the system and encrypt data. Ransomware can also be spread through attack vectors such as malicious emails, pirated software downloads, and phishing attacks.
CPR experts have noticed growing interest from attackers in ESXi virtualization systems used in many enterprise environments. The impact of these attacks goes beyond encryption and includes specific commands to interact with ESXi systems. Linux ransomware prefers OpenSSL and AES for encryption, ensuring relative consistency between different threat actors.
While ransomware attacks are more common on Windows, Linux attacks can be more devastating due to the nature of the systems attacked. For example, a successful attack on a single Linux server can impact multiple virtual machines hosted on that server and have greater impact.
Linux ransomware is characterized by its simplicity as it focuses primarily on file encryption and relies heavily on external configurations and scripts, making it difficult to detect.
Ransomware on Linux does not value persistence
Unlike the types of attacks on Windows that often attempt to establish themselves permanently in the system, ransomware on Linux generally does not value persistence. They primarily target large organizations and exposed servers, while those targeting Windows have a more general scope, including end users. Data exfiltration on Linux is often associated with the original infection vector, which involves using legitimate tools to extract information.
The infection vectors also differ between the two systems. While attacks on Windows often use phishing campaigns, attacks on Linux often exploit vulnerabilities in exposed services or servers. The publication of the source code of successful attacks such as Babuk ransomware has led to the creation of new variants by opportunistic groups.
The increasing use of Linux systems as a vector in ransomware attacks reflects a market trend in which attackers are seeking to exploit enterprise and virtualization infrastructures that are increasingly based on the open source operating system. This development demonstrates an adaptation of cybercriminals’ tactics to changing technology environments and highlights the need for organizations to strengthen their security on both Windows and Linux to effectively protect their digital assets from these evolving threats.