Thanks to Nagy Ferenc László of SophosLabs for the behind-the-scenes effort he put into this article.
There are plenty of command line encryption tools for Linux and Unix computers.
There’s GPG, for example, which can do both symmetric and public-key encryption.
→ Symmetric encryption is where the same key, or password, locks and unlocks a file. Public-key encryption is where you have two keys, one to lock data and the other to unlock it. You can publish the locking key openly – indeed, it’s called the public key – so anyone can send you files securely, but you keep the unlocking key private, so that only you can read them back later on.
Then there’s the OpenSSL toolkit, which you can use in two ways: built in to your own software to give it encryption features, or as a command line tool for all sorts of encryption-related tasks.
And now, reports SophosLabs, there’s Linux/Ransm-C.
If you think that sounds like a very curious and malware-like name for an encryption toolkit, you’d be right.
Ransomware, plain and simple
The Linux/Ransm-C “product” is ransomware, plain and simple, built into a small command line program designed to help out crooks who want to practise a spot of extortion against Linux users.
Indeed, judging by some of the directories that this ransomware tool goes after, it’s not really aiming at Linux desktop users, though the malware, sadly, works just fine on a workstation.
The goal seems to be to go after web and database servers, creating what is effectively a Denial of Service (DoS) attack that holds your data, and even the software installed on the server, hostage.
Even though Sophos Anti-Virus detects this threat as Linux/Ransm-C, we’ve seen precompiled samples targeting five different system platforms:
- 32-bit Linux
- 32-bit System V Unix
- 64-bit FreeBSD
- 64-bit Linux
- 64-bit System V Unix
Unusually for a modern Linux/Unix program, the malware is statically linked, which means it contains absolutely everything it needs to do its dirty work, from the runtime library code that reads and writes files, to the encryption algorithms that it uses to scramble and unscramble your data.
Many, if not most, legitimate encryption tools these days are dynamically linked, meaning that they connect up with software components already on your computer, known as shared libraries on Unix, or DLLs on Windows.
For example, lots of encryption products use OpenSSL, but don’t actually build in their own copy of the OpenSSL software.
→ By sharing a central copy of a shared library amongst numerous products, you not only save disk space (they all share the same files) and memory (only one copy of the shared code needs to be loaded at a time), but also make version control and updating easier. The flipside is that a bug in a shared library typically affects lots of software at the same time, although patching the shared copy also fixes all programs that use it in one go.
Compact and self-contained
By making itself entirely self-contained, Linux/Ransm-C makes itself more dangerous: once a crook gets the malware program file onto your server, he’s not dependent on any other components you have installed, because he’s got all the software pieces he needs in one file.
If the crook only manages to run the malware in a restricted environment, for example where common system utilities are excluded and account privileges are limited (for techies, think of precautions such as chroot and setuid), it will still do as much damage as it can.
Even if the malware only manages to scramble your authentication database, or a few of your HTML web pages, that may be enough to stop you serving customers and doing business online.
To save space, Linux/Ransm-C doesn’t use the popular OpenSSL library, which is a rather large code project, but instead includes mbed TLS, formerly known as PolarSSL, an encryption library that was specifically designed to be small and easy to use. (One popular use is on embedded devices such as routers, where disk and memory space are usually tight.)
How it works
If a crook runs the “tool” like this…
$ ./ransom encrypt publickeyfile
…then it will scramble writable files on your computer, using a public key provided in a separate file for its encryption.
Scrambled files are obvious: they end up with the text string .encrypted at the end of their names.
Additionally, if the crook feeds the malware a file called readme.crypto, you will find a copy of that file under the name README_FOR_DECRYPT.txt in every directory where the malware did any damage.
That file serves as a ransom note, so the crook can use it to tell you how much you’re supposed to pay, and how.
Later on, if you manage to acquire the corresponding private key from the crook, by whatever means he has specified, you can do this…
$ ./ransom decrypt privatekeyfile
…to reverse the effects.
The details of how the crook generates the public-private key pairs, where he stores them, how he sells them, and how much he charges, is up to him.
Linux/Ransm-C just gives him the malicious mechanism he needs to do the scrambling, so he can put the squeeze on you to pay up.
Ouch.
What to do?
All our usual advice applies:
- Patch! To use this malware, a crook needs to sneak just two small files onto your computer: the malware program and a public key. Any remote code execution hole could be enough to lock you and your customers out of your own server.
- Backup! If you have a reliable way of restoring a ruined server, even if you lose a few recent changes, you can recover from this sort of attack without engaging with the crooks.
- Protect! Yes, a Linux anti-virus can help. On a Linux server protected by Sophos Antivirus, for example, Linux/Ransm-C would trigger an alarm as soon as the crook uploaded it – and then he wouldn’t be able to run the malware anyway, because the anti-virus would block it.
While you’re about it, make sure you pick proper passwords, to stop crooks logging in remotely without even needing to hack.
Also, consider using two-factor authentication so that a stolen or leaked password isn’t enough on its own for a crook to login.
And why not listen to our podcast, Malware on Linux – When Penguins Attack?
Let Sophos security expert Chester Wisniewski tell you what he found when he looked at how much help the Linux ecosystem is inadvertently giving to the cyberunderworld…
LISTEN NOW
Malware on Linux – When Penguins Attack
(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)
jewettg
Lots of typos in this article..
“…help out crooks who want to practise a spot of extortion against Linux users.” Should be “practice”.
“……to reverse the effects. Th details of how the crook generates…”
Should be: “The”.
Paul Ducklin
In British English, “practise” is the correct way to spell the verb. (We use licence/license for noun/verb, where you guys use license/license. And we have practice/practise where you guys use practice/practice. Strange but true.)
The missing characters are just lossy typing by me. Sorry about that. I am hoping one of my colleagues (hint!) will fix my mistakes :-)
tartanrose
I Practise attempting to use British English too!
My devices are set to British English too, but, I find auto correct often tries to over ride this to my annoyance.
I then have to spend time correcting the correction!
BUT, I am not writing amazingly helpful security articles for others every day, I’m not planning a 60 second security OR, another very helpful and entertaining Chet Chat, all of this peppered with just the right amount of humour, without which we could all go mad in the current day.
Thankyou for all your kind work……….you do make a difference.
Sincerely, Rosie
Martin
Don’t you get “tyred” of trolls like jewettg?
(OK, OK, I’m outta here!)
Paul Ducklin
As far as I know, the American spelling “tire” is the old-school, orginal one, apparently derived from “attire,” as in the cladding or clothing of the wheel. But English spelling was all over the place back then, with “tire” and “tyre” both widely used.
The former spelling stuck in the US, and the latter in the UK, and that was that.
teejayuu
English…not English (American)!
Paul Ducklin
I think you will find the broad classifications “British English” and “American English” both widely used and rather useful.
Each can be further subdivided, of course (e.g. “robot” in South African English means “traffic light” – a British slang term that quickly died out there – and “globe” in Australian English means “light bulb” – again, a usage imported from Britain that is now entirely defunct in the UK. But both Saffers and Aussies put petrol in their cars, and clean their windscreens with water that comes out of taps so they can see to navigate roundabouts – clockwise, of course! – so in the broader sense use British English.)
Anonymous
Picky…actually the language is English, not English (American)!
jewettg
Found one more: “…By sharing a central copy f a shared library”
Should be “copy of”.
Paul Ducklin
Fixed them, thanks. (But not “practise” – our house style is generally to stick to the spelling that each author would use in his or her natural habitat :-)
The Weather
#WhenPenguinsAttack #ProtectThePenguin +42
Linux security is a real thing! (good luck telling that to Linus though LOL!)
Thank you guys for continually providing great insights into how to be safe on the internet and protect your assets. Keep up the good work. I love your pod casts as well +1 for chetchat and +1 for technow
Paul Ducklin
Thanks for your kind words. Much appreciated.
Anonymous
Do anybody know if SAV for Linux works on CenOS? last time its “real time” scanner couldn’t be activated … something regarding a kernel/module compatibility or so…
Paul Ducklin
Hmmm. I don’t know the answer to that, especially not knowing when “last time” was, or exactly what happened when you installed it, or whether CentOS didn’t like it for code related reasons or licensing related ones.
(To be honest, I’ve never used CentOS myself, so I have never installed SAV on it. I used to use Slackware back when I was a Linux fanbuoy – don’t laugh – and SAV’s kernel code would build just fine, though it needed some symlinks adding for the kernel headers.)
IIRC, it *should* work these days. But for kernels that need our special module and for which we don’t have a matching, pre-compiled binary version, there is always a possibility that it won’t build. There are too many factors to predict for each one :-)
To be honest, the only 100% sure way to answer that question is to try it and see.
The command line on-demand/scheduled scanner will work fine anyway, so even on kernels where on-access won’t work there is some utility – though admittedly less – in the product.