Linux ransomware poses significant threat to critical infrastructure

Linux systems run many of the most critical operations behind the scenes, including a good deal of our nation’s critical infrastructure, and now more ransomware groups are introducing Linux versions. If these systems are disrupted by a ransomware attack, it could cause a catastrophic event.

Ransomware attacks on these systems could make the Colonial Pipeline disruption look like a blip, so we should be making all necessary preparations to address this rapidly growing threat. Unfortunately, this makes Linux even more alluring to today’s ransomware gangs — many of which are affiliated with nation-states that have unlimited resources.

Uh, Linux?

Most people aren’t familiar with Linux or don’t fully understand how much it touches their daily life. The Linux operating system runs on less than 3% of desktops, whereas Windows is running on about 80%. Since Linux isn’t as visible in the front office or at home, Linux threats don’t garner as much attention as those impacting Windows.

What most people don’t know is that Linux runs approximately 80% of Web servers and is the most common operating system for constrained, embedded, and IoT devices used in sectors such as energy and manufacturing. Linux also drives most of the US government and military networks, financial and banking systems, and runs the backbone of the Internet.

Furthermore, Linux runs most organizations’ database servers, file servers, and email servers. Linux unifies the IT stack and makes the network more easily managed. So, if an attacker gains access to a Linux environment, it has access to an organization’s most critical systems and data.

Given its lack of visibility and small market share on desktops and laptops, Linux defense tends to be an afterthought. In fact, most endpoint security solutions don’t even cover Linux, so options are few. This makes defending Linux systems a major challenge.

Linux Ransomware

In 2022, ransomware attacks targeting Linux systems increased by 75% from the previous year. Ransomware gangs have been introducing Linux versions at an increasing pace, with attacks now coming from some of the most infamous gangs like Conti, LockBit, RansomEXX, REvil and Hive. Lesser-known and emerging threat actors are also focusing more on Linux, with groups like Black Basta, IceFire, HelloKitty, BlackMatter, and AvosLocker adding Linux capabilities, to name a few.

So, why the sudden focus on Linux servers? Attackers are increasing their attention on Linux servers for a few reasons — namely, disrupting Linux servers holds the potential to inflict a lot of pain, and attackers know that more pain translates to more dollars in their pockets from higher ransom demands.

The “always on, always available” nature of Linux systems paints a huge target for threat actors, and compromising Linux systems provides a strategic beachhead for moving laterally throughout a targeted organization’s network. And Linux is open source, which means attackers have a great deal more insight into how Linux systems are running, and have a head start in customizing attacks.

To read the complete article, visit Dark Reading.