2016- the Year of Ransomware has seen draconian variants of Ransomware. Some came in the form of robust encryption while others bypassed strongest of security ramparts. In May this year, another tightly-knitted operating system was hijacked by a Ransomware variant. This time it was Linux operated computers who fall prey to the wily program.
(Note: This is another secured OS duped by Ransomware, after Mac.)
To begin with, crooks have named the variant as Rex Linux Trojan. The Trojan is written in Go and uses CVE- 2014-3704 to seize Drupal websites. Unlike others, Rex Linux has more weapons to attack users’ and has undergone many updates since the time it first appeared. It infiltrates in 5 different ways- Attack vector, Bitcoin mining, C&C Communication, Ransom- Armada Collective and DDoS. It is now capable of infecting CMS platforms, transmittable via advanced P2P-based botnet and is can easily disseminate itself to other vulnerable servers and devices on the local network.
- Attack Vector: This kind of attack simply looks for vulnerable services on internet via bots. Then it drops the malware on to the server, which in turn communicates with other bots via P2P. Henceforth, the malware is transmitted to the user’s system. Other than this, Rex malware exploits via many other means. These include Drupal, WordPress, Magento and Misc.
- Drupal is exploited with CVR-2014-3704. Further, the malware adds another admin account of the website, while locking the original one. It bitingly locks all blogposts, while dropping a website-locker note, uploads and executes Rex.
- WordPress is another major target of Rex, along with other CMS.
- Magento attacks are somewhat similar to the Drupal attacks. Rex looks for ShopLift RCE, creates a new admin account and executes Rex onto the webpage.
- Bitcoin mining: The malware is capable of Bitcoin mining. It is a process of adding up transaction records to the past public Bitcoin ledger. In other words, it’s a chain of transactions and hence called blockchain. This chain also helps in confirming the transaction proceedings at each level. Although, the Trojan is performing this high-hedged technique, but its process is still unknown.
- C&C Communication: Rex malware peculiarly infects many other systems via C&C communication. Precisely, the central system is attacked at first and further, the exploit kit is transmitted to other systems.
- DDoS: The Trojan has not just confined its activities to Ransomware infection but, it viciously threatens other webmasters as well. It cunningly issues a cautionary to pay ransom, else the Ransomware attack becomes operative. This is another sly scheme of criminals to thieve ransom money from the innocent users’. You can see the original screenshot of the warning below.
(Image Source: news.softpedia.com)
- Ransom- Armada Collective: This is very much similar to DDoS attack. It’s a gang of crooks who torments the users to pay ransom, else their system would be locked out and they’ll lose access over their data.
As it stands, Linux Ransomware is hastening at a rapid pace. The only ways to dodge Ransomware is by keeping a secure backup of data, along with appositely updating all software, programs and applications installed on the system. Proper software update will provide no vulnerability to the malware in first place and data backup will ensure the protection of all data.
Be proactive and avoid Ransomware attacks!