Protecting Against Ransomware
I have been reading quite a bit about ransomware. Ransomware does not target entire systems but only data files.
While Linux users tend to be mildly smug about fighting malware, the recent Magento CMS exploit news story is a warning. Most ransomware writers currently focus on the easy pickings of unskilled Windows users. The Magento incident warns that the focus will widen to include servers. While ransomware writers expect a steady trickle of ransoms paid by those unskilled Windows users, the payoff is low. The return is mostly in volume and not the price. A numbers game. The potential for huge ransoms is possible with servers, where data of millions of people are at stake. There has been at least one published story about bank servers getting infected and the ransom was in the millions rather than hundreds of dollars.
Traditional anti-virus software is unlikely to protect against the next wave of ransomware. Likely ransomware writers will target victims using unpatched exploits, as was done with the Magento infection. While there always will be sloppy or lazy sys admins where ransomware writers can take advantage as they do with unskilled Windows users, the majority of Linux users tend to be a tad more tech savvy. Expect ransomware writers to target Linux systems mostly through exploits.
Important to home and small business users, once the ransomware authors perfect executable code for Linux servers, all the authors need thereafter is a door inside any Linux system. Home and small business users will be affected too. Let the small trickle payments begin there too.
Sure, keep systems patched. Linux developers are excellent at responding to security issues. Yet nobody can really protect against exploits until the exploit is exposed. Malware authors are not about to publicly disclose exploits they discover. A huge challenge even for the most skilled and savvy Linux user.
There are only three responses to ransomware: 1) Pay the ransom and hope for a decryption key, 2) not pay the ransom and restore systems from backups, or 3) cry and lose all data.
Many Linux users, being a tad more tech savvy than Windows users, will choose the second response.
Most ransomware versions not only target valuable data files but backups as well. This is easy to do with backup strategies using push technology because the backup storage location is mapped locally from the infected systems. That is, the backup location is known at the infected system.
Backup systems using pull technology are not easily attacked by ransomware. The ransomware malware cannot easily discover the backup location. Yet ransomware authors are getting more sophisticated and skilled. They have introduced a sneaky way to cripple those pull technology backups. The authors are embedding time delays into their malware. Such malware does not execute immediately but remains latent for a while on the infected system.
While backups provide a serious protection against ransomware, the time delays introduce the challenge of knowing when the system received the malware. The only way to cure the infection from backups is knowing when the infection occurred. Otherwise restoring a system from recent backups will only repeat the infection cycle because recent backups will include the malware.
As Linux is used on more than a majority of servers, the threat of ransomware is something that should not be ignored. The results with servers will roll downhill to home and small business users too.
That smug feeling should disappear like the smile of the Cheshire Cat.