Organizations running Linux distributions need to prepare to defend their systems against ransomware attacks. Steps to ensure resiliency and basics such as access control reduce major disruptions.

Jon Miller, CEO & Co-Founder, Halcyon

July 18, 2023

4 Min Read
The word "Linux" on a background of 1s and 0s
Source: Spectral via Alamy Stock Photo

Linux systems run many of the most critical operations behind the scenes, including a good deal of our nation's critical infrastructure, and now more ransomware groups are introducing Linux versions. If these systems are disrupted by a ransomware attack, it could cause a catastrophic event.

Ransomware attacks on these systems could make the Colonial Pipeline disruption look like a blip, so we should be making all necessary preparations to address this rapidly growing threat. Unfortunately, this makes Linux even more alluring to today's ransomware gangs — many of which are affiliated with nation-states that have unlimited resources.

Uh, Linux?

Most people aren't familiar with Linux or don't fully understand how much it touches their daily life. The Linux operating system runs on less than 3% of desktops, whereas Windows is running on about 80%. Since Linux isn't as visible in the front office or at home, Linux threats don't garner as much attention as those impacting Windows.

What most people don't know is that Linux runs approximately 80% of Web servers and is the most common operating system for constrained, embedded, and IoT devices used in sectors such as energy and manufacturing. Linux also drives most of the US government and military networks, financial and banking systems, and runs the backbone of the Internet.

Furthermore, Linux runs most organizations' database servers, file servers, and email servers. Linux unifies the IT stack and makes the network more easily managed. So, if an attacker gains access to a Linux environment, it has access to an organization's most critical systems and data.

Given its lack of visibility and small market share on desktops and laptops, Linux defense tends to be an afterthought. In fact, most endpoint security solutions don't even cover Linux, so options are few. This makes defending Linux systems a major challenge.

Linux Ransomware

In 2022, ransomware attacks targeting Linux systems increased by 75% from the previous year. Ransomware gangs have been introducing Linux versions at an increasing pace, with attacks now coming from some of the most infamous gangs like Conti, LockBit, RansomEXX, REvil and Hive. Lesser-known and emerging threat actors are also focusing more on Linux, with groups like Black Basta, IceFire, HelloKitty, BlackMatter, and AvosLocker adding Linux capabilities, to name a few.

So, why the sudden focus on Linux servers? Attackers are increasing their attention on Linux servers for a few reasons — namely, disrupting Linux servers holds the potential to inflict a lot of pain, and attackers know that more pain translates to more dollars in their pockets from higher ransom demands.

The "always on, always available" nature of Linux systems paints a huge target for threat actors, and compromising Linux systems provides a strategic beachhead for moving laterally throughout a targeted organization's network. And Linux is open source, which means attackers have a great deal more insight into how Linux systems are running, and have a head start in customizing attacks.

Linux is also highly customizable, which is why it is the preferred operating system for large network environments. This means threat actors have a considerable level of control over the network once they have achieved persistence and access to the Linux Terminal, providing them with a host of powerful network tools to further their ingress into the network.

Time to Prepare Is Now

The key takeaway here is that any organization running critical Linux distributions should start preparing to defend these systems that, until recently, were rarely targeted by ransomware. There are very few security solutions options on the market that can protect Linux systems, and no dedicated solutions that focus on stopping ransomware specifically.

Specific measures to ensure an organization is resilient after a ransomware attack will vary depending on the organization's line of business. In general, organizations need to at least have the basics in place in preparation for a ransomware attack, including:

  • Endpoint protection: Deploy an anti-ransomware solution alongside existing endpoint protection platforms (EPP/DR/XDR) to bridge the gaps in ransomware-specific coverage.

  • Patch management: Keep all software and operating systems updated and patched.

  • Data backups: Assure critical data is backed up off-site and protected from corruption in case of a ransomware attack.

  • Access control: Implement network segmentation and policies of least privilege (zero trust).

  • Awareness: Educate against risky behaviors and teach about avoiding phishing techniques with an employee awareness program.

  • Resilience testing: Regularly test solutions against simulated ransomware attacks to ensure effective detection, prevention, response, and full recovery of targeted systems.

  • Procedure testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to always respond to an attack.

The targeting of Linux systems has the potential to cause serious disruptions far beyond the scale of what we have seen in any ransomware attacks to date. The consequences of not redoubling our efforts to defend Linux systems could prove catastrophic, but we can reduce the threat of a major disruption and its potential impact by preparing now.

About the Author(s)

Jon Miller

CEO & Co-Founder, Halcyon

Jon Miller is the CEO & Co-founder of Halcyon with 25+ years working in the cybersecurity industry. Prior to Halcyon, Jon was the CEO & Co-founder of Boldend, a next-generation defense contractor focused on building offensive tools for the US Government. Previous to Boldend, Jon held the title of Chief Research Officer of Cylance (now Blackberry) where he focused on malware and product efficacy. Prior to Cylance, Jon was employee number 70 at Accuvant (now Optiv) where with a group of others he helped build and lead the largest technical consultancy at the time Accuvant LABS, working with over 95% of the Fortune 500 as an offensive security expert. Before Accuvant, Jon was a ten year veteran penetration tester, serving as one of the first in the industry working for the Internet Security Systems (now IBM) X-Force.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights