Ransomware Found Targeting Linux Servers, MySQL, Git, Other Development Files (drweb.com) 93
An anonymous reader writes: A new piece of ransomware has been discovered that targets Linux servers, looking to encrypt only files that are related to Web hosting, Web servers, MySQL, Subversion, Git, and other technologies used in Web development and HTTP servers. Weirdly, despite targeting business environments, the ransomware only asks for 1 Bitcoin, a fairly low amount compared to other ransomware.
Re: (Score:3)
until we type "snapper rollback ..." or "zfs rollback ...". then we can continue eating donuts and browsing slashdot.
Root (Score:5, Informative)
"Once launched with administrator privileges..."
Well, there's your problem.
Re: (Score:1)
"Once launched with administrator privileges..."
Well, there's your problem.
This rarely happens, as it seems. I hope, at least.
However, once someone figures out that common PHP applications, which are currently mostly exploited for sending spam and distributing malware, can be abused in this crypto-ransom fashion, some "interesting" times will follow. Specially vulnerable deployments are those where the very same user that owns executable files is used for running that application too (I am looking at your defaults, cPanel), or, to a lesser extent, applications that permit executab
Tape backups (Score:2, Interesting)
Unlike desktops big iron use tape and raid backups
Re:Tape backups (Score:4, Informative)
Unlike desktops big iron use tape and raid backups
Raid is not a backup.
Re: (Score:1)
Oh shut the fuck up. RAID is not a backup. Tape is. A second drive stored offsite is. Guess what happens if ransomware encrypts your data on the RAID? It gets written, encrypted, to both of your goddamned RAID disks. Then you restore off of an actual backup and move on. But RAID sure as shit isn't.
Re: (Score:2)
let us not forget big iron also uses snapshots. thus making this encrypting thingy almost a non-problem.
Re: (Score:1)
RAID would simply increase the speed of encryption.
Re: Tape backups (Score:2)
I would imagine that he meant that larger companies use virtual tape libraries (comprised of hard drives) or use backup systems which write to an array of hard drives instead of tape. These are great for fast backups and restoration of data. Pushing offsite via replication provides the offsite backups.
Re: (Score:1)
They are not a "backup" unless there is something stopping them being overwritten when the main system gets fucked up. It is difficult to fuck up a tape that has been removed from a system when the shit hits. As a hosting provider near me found out in their last day of operation, an offsite mirror doesn't help when the shit hits if it just mirrors the shit and there is no offline copy of the data to restore from.
Snapshots help but there are situations where they won't be available.
Also tape is still cheap
Re: (Score:2)
They are not a "backup" unless there is something stopping them being overwritten when the main system gets fucked up. It is difficult to fuck up a tape that has been removed from a system when the shit hits. As a hosting provider near me found out in their last day of operation, an offsite mirror doesn't help when the shit hits if it just mirrors the shit and there is no offline copy of the data to restore from.
Snapshots help but there are situations where they won't be available.
Also tape is still cheap at scale. Once you have the drive the media is less than $100 for 3TB (real size not compressed) so after a point it becomes cheaper to have a real backup on tape than buying drives that are likely to be online 100% of the time and fall victim to whatever they are supposed to be saving you from.
Under what circumstances will snapshots not be available? We make snapshots every 4 hours and keep them for 3 days. Daily snaps are kept for 10 days, weekly snaps are kept for 6 weeks, and monthly snapshots are kept for 6 months. This is all done at the NAS level, application servers don't have access to the snapshots so can't modify or delete them. The primary NAS is replicated (including snapshots) to a secondary NAS (in a different building nearby), and that NAS makes weekly tape dumps that are shipped
Re: (Score:2)
Backups suck! tape sucks, raid has "backed up data" but is not, it itself, a backup.
The ONLY real and reliable backup is deduplicated off-site replication, ala something like "Actifio."
soon to be one per day (Score:2)
Gathering data (Score:1)
Sounds like they're trying to figure out how far their ransomware can get into various networks and environments. See who they hit and do a more invasive hack/extortion later for big money.
A low price is not a bad thing. (Score:5, Interesting)
However 1 bitcoin is roughly $400. While still less than 10 bitcoins its not nothing either.
Re: (Score:3)
Having worked for a web hosting company for a couple of years, I envision this being the scenario the ransomware makes the most money from:
(1). Ransomware encrypts (say) the web site of a sma
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
... The first thing to consider is that real professionals won't be affected by this type of thing - they ensure their filesystem is properly permissioned (as per reams of security best practices) to prevent this attack.
FTFY
The rest of your post is irrelevant if this. Because the site would not go down due to incompetence of the SA.
Re: (Score:2)
Rudyard Kipling has something to say on the subject of paying Dane-geld. Basically, if you pay the Dane-geld, you'll never be rid of the Dane.
Re: (Score:2)
Rudyard Kipling has something to say on the subject of paying Dane-geld. Basically, if you pay the Dane-geld, you'll never be rid of the Dane.
As a Dane, I find this incredibly racist.
We're a very polite people who would never outstay their welcome.
Re: (Score:2)
Well, your signature is appropriate.
The attackers are hoping for volume (Score:5, Insightful)
The relatively low price is designed to make it too much of a hassle for the victims to contact the police, lawyers, etc. etc. in an effort to track down and stop the perpetrators.
They are probably hoping for higher volumes of payment from a lot of people instead of trying to go all Hollywood and ask for some insane amount of money that would make bringing in the cops worthwhile.
A nice low number (Score:5, Interesting)
That low ransom makes it REALLY easy for the business to justify just paying them off, instead of spending the time to deal with the problem in a different way. It's even small enough that a lower level manager who doesn't want to get fired for having screwed up and let this happen might pay it himself to keep from looking bad, which means that no one else in the organization might be informed.
If the malware can get enough traction, it could still bring in the big bucks over time.
We're at war... and we're losing (Score:2)
Consider yourself in a cyber-war... any line of program you run on your computer can be turned against you... why do you trust any of it with your full authority?
Because you don't have a choice, your OS doesn't give you one. Read up on the principle of least privilege, and the ambient authority model we currently use.
Re: (Score:2)
You do have a choice though. You can use BSD.
Re: (Score:2)
This particular malware is a C program that must be run as root to do its damage. I'm sure porting it to BSD and running it as root would be just as bad there as on Linux
Git's not backup. (Score:2)
This story is another reminder that Git is not a backup. (As the older saying went, "RAID is not backup"). Mirroring is not a backup either, for similar reasons.
Re:Git's not backup. (Score:5, Interesting)
Given git's model, every developer has a full copy of the entire history. Sounds like a great backup to me.
Re: (Score:1)
So what? So I then pull [*] your rewritten history, and what do i get? A merge. I look at this merge, decide it is a load of bollocks, and blow it away.
Git is a very fine backup.
[*] except of course I don't pull. I fetch, every time.
Re: (Score:2)
As a backup system, git works better than dropbox.
yes lol, absolutely
Why a single bitcoin? To hide among the flock. (Score:2)
A single bitcoin is likely to be a very common kind of transaction.
Remember the Ashleigh Madison blackmailers who were asking for very specific amounts, which allowed multiple transactions to multiple bitcoin addresses to be grouped together by those investigating?
It would be much harder to associate all those wallets if they were for an amount that's commonly used.
Re: (Score:2)
Business environment is also kind of why the price is so low. Most of the time they are ransoming a little downtime while restoring a backup, not priceless data.
What's The Vector, Victor? (Score:3, Interesting)
How does this malware spread? How does it get on the servers? How does it get executed?
If it relies on some idiot to run it as root, I just can;t see it as a real threat. If it's coming in via a distro's updates, well that would be... exciting.
Re:What's The Vector, Victor? (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: What's The Vector, Victor? (Score:2)
None of these are things you can even do on a nix server. Also...js? You mean java?
Cache poisoning itself doesnt infect you.
Re: (Score:2)
Re: (Score:2)
Javascript doesn't attack a browser in the classical sense. The way you cause damage with JS is poisoning the browser's cache. So you add something sketchy to the cached version of a given webpage.
The classical route of this attack is a proxy that injects code to cache sketchy objects on top of the cache of any page visited. The cache expiration is set to something ridiculously high, so it's not removed without clearing the cache.
So for example injecting an ad that wasn't there before into youtube, slashdot
Re: (Score:2)
Inflation (Score:1)
It's Dr. Evil, from the 1960's.
Insert free advert for Dr.Web Anti-virus .. (Score:2)
backup (Score:4, Insightful)
2. There is no reason to run any non-os command as root
3. it takes 45 mins at most to reimage a server and redeploy from backup
The people who get this are asking for it. Its like the internet startup darwin awards.
Re:backup (Score:5, Funny)
1. There is no reason to have anything rinning as root
I'm afraid you just misspelled "rimming".
Re: backup (Score:2)
All of those services you configure, run as root, then they are running as services. Its not like you start sshd or cron up everyday. Hell, starting things up often is cron's purpose.
Also ping can be replaced with a script...tcp doesnt need root.
Re: (Score:2)
"1. There is no reason to have anything r[u]nning as root"
Is that supposed to include the OS processes and services? 'cuz there's a ton of them on a server I work with.
I can see how I'd (begin to) secure anything I'd installed from running on root - and probably differently for each app/service. But what am I to do about the OS itself?
Or perhaps point 1 was stated with less precision than I'd imagine. (not being sarcastic - really wanna know).
Re: (Score:2)
Not to mention any SERIOUS webhost is NOT going to be running Gnome/KDE/whatever, so the usual "infection vector", namely the browser (FF/Chrome) is not present and therefore is not going to be able to do its dirty work.. Frankly, I can't really imagine *how* this malware would get onto a properly setup Linux-based webhost.. Perhaps I'm missing something, after all I've only been using Linux professionally since 1994 or so...
Re: (Score:2)
Easy - piracy.
You have to remember a properly secured webhost would mean the instan
Dummies. (Score:3, Interesting)
eg. from this article...
http://www.securityweek.com/file-encrypting-ransomware-targets-linux-users
It’s unclear at this point how the malware is distributed and installed on victims’ computers
eg. from this article...
http://securityaffairs.co/wordpress/41787/cyber-crime/linux-ransomware.html
Linux ransomware already infected at least tens of users
So nobody knows how this mysterious trojan gets run as root on web servers. No mention of what distro is affected, if this story is legit. Realize there are actual proprietary OS companies who pay to shill. The fact that Linux is better and open source and free makes Windows and Apple look stupid. So does it make sense they want to discredit Linux? FUD about web servers?
Wait for an actual legit demonstration of how this "ransomware trojan" infects a web server. I mean other than some tweak got paid a few bucks to write a script and give it to his gamer buddies in Russia to run as root @ localhot.
Read even this.
https://en.wikipedia.org/wiki/Linux_malware
Worms and targeted attacks
The classical threat to Unix-like systems is vulnerabilities in network daemons, such as SSH and web servers. These can be used by worms or for attacks against specific targets. As servers are patched quite quickly when a vulnerability is found, there have been only a few widespread worms of this kind. As specific targets can be attacked through a vulnerability that is not publicly known there is no guarantee that a certain installation is secure. Also servers without such vulnerabilities can be successfully attacked through weak passwords.
Threats
The following is a partial list of known Linux malware. However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat. Known malware is not the only or even the most important threat: new malware or attacks directed to specific sites can use vulnerabilities previously unknown to the community or unused by malware.
So don't believe the hype. If this story is legit at all, it will be scrutinized 100% and all possible methods of injection will be considered by one hell of a lot of smart people. The code is open source.
Looks like an advertisement (Score:1)
For Dr. Web anti virus crap.
Once again, if you bypass all the security as only a complete idiot would do, Unix is vulnerable.