The Escalating Threat of
Linux Ransomware
As Linux-based systems gain prominence, particularly as server environments, the risk of malware targeting this operating system has escalated significantly over the past years. Effectively countering these threats necessitates the analysis of Linux ELF executables. In response to this critical need, VMRay has taken a significant step forward with the latest release, VMRay Platform version 2023.3 – this release represents a milestone as we have enhanced our flagship products, DeepResponse and TotalInsight, by incorporating the ability to analyze Linux ELF executables.
Ransomware attacks on Linux systems increased by 75% in 2022, with well-known threat actors like LockBit, Cl0p, and Hive increasingly deploying Linux versions. Even lesser-known groups are embracing Linux or even cross-platform capabilities. The focus on Linux servers is driven by the critical role in hosting services, leading to higher ransom demands and serving as strategic entry points for lateral movement within targeted attacks. Server environments, often foundational in Cloud deployments are well-known for their “always on, always available” and open-source nature, making them a beloved attack target and usable on-demand once infected.
This blog post delves into the significance of utilizing automated analysis for Linux ELF executables and highlights its relevance through an examination of the notorious Linux Hive Ransomware.
Dynamic Analysis of Linux ELF Executables
In the current release, VMRay Platform supports both static and dynamic analysis of 64bit Linux ELF executables built for x86 platforms. Whether one submits a sample manually through the console or automate the process via the API, our analysis platform promptly recognizes the sample type of the ELF executable.
Additionally, the default Ubuntu 22.04 LTS VM is automatically set as the target for the dynamic analysis, as shown in Figure 1.
Before the dynamic analysis takes effect, VMRay Platform conducts a static scan of the submitted file. This process involves lookups against Reputation and Anti-Virus engines, along with the extraction of artifacts such as strings from the ELF executable. Our VMRay Threat Identifiers (VTIs) and YARA rules play a crucial role in detecting and reporting any identified anomalies during this static scanning phase.
Moving on to the dynamic analysis: VMRay’s unique monitoring approach is capable of thoroughly inspecting and observing the execution behavior of the submitted Linux ELF executable. This approach allows us to gain deeper insights into the sample’s behavior during execution. All observed behavior, as well as artifacts collected throughout the dynamic analysis, are carefully evaluated to determine whether the sample exhibits malicious traits or not.
In Figure 2, we can observe how VMRay’s ability to track and report file operations contributes to the VTI detecting ransomware behavior, effectively triggering and raising the verdict of the sample. Additionally, our YARA rules are instrumental in directly identifying the submitted sample as the Linux variant of the well-known Hive ransomware.
The Files tab in the analysis report sheds lights on what happened during this ransomware attacks to files located on the system. As depicted in Figure 3-a, the ransomware searches various locations for files, encrypting and renaming them with new file extensions. As a result, the original content of these files is practically unusable and held hostage until a ransom is paid, potentially leading to a severe disruption of services running on this Linux server.
In Figure 3-b, we can observe the creation of a file called “HOW_TO_DECRYPT.txt”, commonly known as the ransom note. This file contains more detailed information about the incident provided by the operator of the ransomware. It is a common practise for attackers to drop the same ransom note in each directory where files have been encrypted, as indicated by the different paths, referred to as “Also Known As” in the screenshot below.
Taking a closer look at the YARA matches reported by VMRay, one of them triggers on the ransom note that has been written to the file named motd (also known as “message of the day”). Users are presented with the message located in this file every time they log into the system, which is an additional way of notifying the user about the data breach.
Note that the behavior-based monitoring approach utilized by VMRay Platform is not confused by this as static analysis via disassembly is not necessary to detect malicious behavior on our end.
Conclusion
The recently introduced Linux support by VMRay Platform adds the capability to perform both, static and dynamic analyses of Linux ELF executables.
Considering that Linux systems continue to face significant risks, the importance of having reliable and automated malware analysis solutions cannot be overstated. The results of such analysis can be utilized to enhance asset protection within organizations. This crucial step towards fortifying defenses allows our customers to stay one step ahead of the ever-evolving threat landscape, particularly for Linux environments.
