New Linux Ransomware Lilocked is Added to the Growing List of 2019 Linux Cyber Attacks

Yet another Linux attack has surfaced recently that has impacted thousands of servers. It’s a ransomware called Lilocked (aka Lilock or Lilu) and likely takes advantage of a known Exim vulnerability or possibly old versions of WordPress to gain system entry. Once inside, Lilu encrypts the data on the server and renames the files with a *.lilocked extension.

For each folder that is encrypted, Lilocked also drops a ransom note that provides instructions on how to pay bitcoin (approximately $100) to remove the encryption. A sample has yet to be found, so there is no known way to remove the encryption without paying the ransom.

2019 Has Been an Active Year for Linux Attacks

Lilocked is yet another cyber attack in a growing list of those targeted to Linux. Other notable Linux attacks in 2019 include:

  • Silex — a bricking worm that attacks Linux IoT devices and permanently disables the devices it infects.
  • GoLang Malware — a malware written in the GoLang language that uses Linux servers for illegal cryptomining.
  • Zombieload — an Intel processor side-channel attack that can see all the websites a user is visiting in real-time.
  • Hiddenwasp — a trojan used for targeted remote control of Linux systems.
  • EvilGnome — Linux spyware that takes desktop screenshots, steals files, captures audio and can download and execute further second-stage malicious modules.

Both the volume and severity of attacks on Linux seems to be on the rise in 2019 and doesn’t appear to be stopping anytime soon.

Why Linux is Such a Hot Target for Attackers

There is good reason as to why Linux is now a popular focus for cyber attacks. In fact, there are four good reasons:

  1. Volume and value — Linux has grown significantly in adoption and by some very important users. In 2019, 100% of the world’s supercomputers run on Linux. Out of the top 25 websites in the world, only 2 aren’t using Linux. And 96.3% of the world’s top 1 million servers run on Linux. All of this adds up to an attractive size and valuable user base for cybercriminals to target.
  2. Difficult to secure — It is very easy to spin up a public facing Linux server and plug it in. However, setting up a secure operation takes much more work. With the distributed model, centralized organizations can’t easily enforce policies because there are too many ways around them. Furthermore, it is hard to monitor over time and ensure that it remains in compliance. Cybercriminals know this and seek to take advantage of these poorly secured systems.
  3. Commonly outdated — Keeping open source software up-to-date requires significant effort. Because of this, packages are often outdated — especially if you don’t have extremely rigorous practices for Linux maintenance. And even when users are prepared to upgrade, security vendors take a few weeks to respond with upgraded protection leaving users operating in a degraded mode and unprotected during that window.
  4. Data galore — Getting to the valuable data is the ultimate goal of many cybercriminal schemes and Linux tends to be used for the good stuff like customer data, PII, intellectual property and financials. That data is both valuable and easy to get to while being virtually undetectable. For cybercriminals, getting onto a server environment means you can wait, hide and explore. You can pop out of an app into a shell, then do recon, move laterally and ultimately reach the data you are looking for.

Protection from Today’s Linux Cloud Attacks Requires New Techniques

The Linux footprint is growing fast — as is awareness of the specific attack vectors and security failure scenarios unique to Linux cloud environments. Unfortunately, many of the security products that were originally developed for Windows-centric, corporate models simply don’t scale in the cloud era.

Antivirus solutions are so highly tuned for Windows viruses that they are largely irrelevant in Linux. Furthermore they are way too heavy weight for the high performance needs of most server environments.

EDR (Endpoint Detection & Response) requires highly skilled “detectives” to wade through an overwhelming amount of data in order to find threats. They struggle with the active breach scenarios and lateral movement patterns that are highly prevalent in Linux. And of course, EDR is completely reactive — by the time the incident is detected it may be too late.

Privileged Access Management works well in highly centralized, Active Directory-based environments. However, in Linux they provide little protection from the biggest threat — a root-access user who does something they shouldn’t, accidentally or maliciously. Again, by the time the action is taken, it’s too late.

These legacy solutions simply were not built for high-velocity, rapid-iteration cloud environments. They are overly restrictive, they bring DevOps to a halt, and they stifle an organization’s ability to innovate and compete.

Try Cmd Linux Security For Free

Cmd delivers cloud-scale security that enforces security policy without slowing down DevOps. Intelligent guardrails that can block dangerous commands, even for root users, let security professionals rest easy that policies are followed and compliance requirements are met. Deep visibility into Linux environments helps your SOC and incident responders navigate complex cloud environments to find threats hidden in plain sight. Operational controls let you work with the DevOps tools you already have in place, to keep security lightweight and strong. Oh — and Cmd works across all flavors of Linux commonly used in the enterprise, without needing to be re-deployed every time Linux is patched or upgraded.

Want to know more? Sign up for a free trial of Cmd Linux Server security solution. With the continued increase of Linux attacks, this should be a priority for security and DevOps teams to deploy or the next Lilocked may cause serious consequences.