Exposing Ransomware in Linux-based Multi-cloud Environments

Linux is the most popular operating system in multi-cloud environments and has been dominant for the past five years. But the fact that most malware countermeasures currently in place focus on Windows-based malware threats leaves many public and private cloud deployments susceptible to Linux-based attacks. 

According to a report published by SonicWall, 270,000 malware variants were identified in the first half of 2022. That is around 45% over the same period last year. These types of attacks are becoming more common in organizations. Organizations must improve their ability to detect and respond to them.

This article discusses a comprehensive overview of Linux-based ransomware threats in multi-cloud environments and how businesses can spot and stop these by taking effective measures.

If you want to build ransomware in Python from scratch, this article should be helpful.

Table of Contents

• Ransomware: Top Malware Attack Performed in Linux-Based Multi-Cloud Environment
  • What is Ransomware?
  • How Ransomware Works?
  • Effects of Ransomware
  • Ransomware Families
• How to Detect and Mitigate the Ransomware Threat?
  • Signature-based Ransomware Detection
  • Behavior-based Ransomware Detection
  • Deception-based Ransomware Detection
• Conclusion

Ransomware: Top Malware Attack Performed in Linux-Based Multi-Cloud Environment  

Taking advantage of weak authentication, misconfiguration, and vulnerabilities, the attackers infiltrate the cloud-based environment with remote access tools. Once these attackers get access to the environment, ransomware is the most common type of attack that they look to perform.

What is Ransomware?

Ransomware is malware that holds the victim’s data at ransom. The encryption of critical data means that users or organizations cannot access files, databases, or applications. To gain access, a ransom is required. 

Ransomware can quickly paralyze entire organizations and spread to the target databases and file servers. Ransomware is a growing threat that generates billions in cybercriminals’ payments and causes significant damage to businesses and government organizations.

How Ransomware Works?

A ransomware attack’s basic profile is so well-known that even non-technical people can understand it:

1. A threat actor attacks the network and compromises its security.
2. The sensitive files are encrypted.
3. Treat actors present a ransom note to the victim and ask for cryptocurrency/money in exchange for the decryption key that helps the victims to unlock the file access. 

Effects of Ransomware

Ransomware attacks on cloud environments can have devastating effects: cybercriminals ensure that the target systems are fully compromised before they begin the file encryption. Cybercriminals are now calculating the possible damage they could cause to a company going through financial events to highlight their attack’s potential impact and incentivize ransom payment. They’re also developing sophisticated tactics to attack victim organizations.

Ransomware has recently evolved to target the Linux host images that spin up workloads in virtualized environments. This is a worrying and disturbing development that shows attackers looking for the most valuable assets within cloud environments in order to inflict maximum harm on their target.

Ransomware Families

Below are some famous ransomware families that you should know: 

1. REvil: Also known as Sodinokibi, REvil involves a group of actors acting as a core group of hackers to create and maintain robust malware that they distribute to other hackers. This malware can launch deadly attacks by “affiliates,” lower criminals.
2. DarkSide: DarkSide, a cybercriminal hacking organization, is believed to be located in Eastern Europe. It targets victims with ransomware or extortion. Ransomware is offered as a service by the group.
3. BlackMatter: BlackMatter actors use BlackMatter tools to target various organizations. They have already targeted various organizations based in the U.S. and demanded a ransom amount of $80,000 to $15,000,000 in Bitcoin or Monero.
4. HelloKitty: After successfully attacking CD Projekt Red (the makers of Cyberpunk 2077), the HelloKitty ransomware has gained notoriety. This is another example of a Windows-based threat, which has evolved and expanded into Linux and targets Linux-based systems.
5. ViceSociety: ViceSociety ransomware is believed to be the work of actors who escaped from the HelloKitty group. Their malware shares many similarities with the HelloKitty ransomware. This ransomware group was responsible for attacking the United Health Centers of the San Joaquin Valley, California, and other targets. The attacks resulted in the leakage of sensitive patient records.
6. Erebus: Erebus is an older ransomware family. Although it initially targeted Windows hosts, the threat has evolved to include a Linux variant in 2016.39. This unique threat is due to its multilingual nature. Although the ransomware actors have stopped operating, the ransomware is still interesting and shares some characteristics with other ransomware families.
7. GonnaCry: GoNNaCry is a ransomware-type program. The attackers demand the decryption of data on systems infected by this malware. Victims’ files become inaccessible, and they must pay ransom to unlock their data.
8. eCH0raix: Ransomware eCh0raix targets QNAP network-attached storage (NAS) devices with weak credentials.41 The family is written in Go and has simpler features than other ransomware families. This threat, for example, does not appear to be able to distinguish between victims.

How to Detect and Mitigate the Ransomware Threat?

Below are three ransomware-detecting techniques: 

Signature-based Ransomware Detection

Signature-based ransomware detection is a first-line detection method. It compares ransomware sample hashes to known signatures. This allows for quick static analysis of files within an environment. Antivirus software and security platforms can collect data within executables to determine if it is ransomware or an authorized executable. This step is usually done by antivirus software when it scans for malicious software.

To avoid detection, attackers update malware files. A single byte added to a file creates a different hash, decreasing the detection rate of malicious software. 

Behavior-based Ransomware Detection

Security professionals and tools use behavior-based detection to examine new behavior against historical data. They then compare the behavior of recent employees against their baseline behavior to find indicators that indicate compromise. The detection methods include traffic analysis, API calls, and file system changes. 

Deception-based Ransomware Detection 

The third method of detecting ransomware is to trick adversaries. Most commonly, you can create a honeypot. This file repository is used as bait or decoy for attackers. Normal users don’t touch this server, so if there is activity, it is likely an attack. 

Conclusion

Modern enterprises should consider security as an integral and distributed component and integrate it with all aspects of the multi-cloud environment. Multi-cloud security requires complete visibility into all workloads, with detailed system context. This makes it easier to prioritize mitigation efforts and helps understand them. Intelligently merging all information adds value and allows for sharing contextual data among teams to reduce silos.

Secure multi-cloud environments require that all workload access and communications be protected within and between clouds. The operationalization of security across cloud environments requires robust software that complements network detection, firewalls, meshes, responses, and load balancers.