New Ransomware Targeting Sites

2021 0

Brian Krebs has reported on the latest cyber criminal innovation in ransomware, named “Linux.Encoder.1; which targets sites powered by the Linux operating system.

Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such as shopping cart programs. Once on a host machine, the malware will encrypt all of the files in the “home” directories on the system.

The file currently has almost zero detection when scrutinized by antivirus products at Google’s Virustotal.com, a free tool for scanning suspicious files against dozens of popular antivirus products. IT Security Experts from Tripwire give insight into this type of ransomware and provide advice for companies.

Craig Young, Security Researcher at Tripwire :

“With web sites being the most exposed aspect of just about every business, it is important that web site operators follow security best practices. A few basic tactics can greatly minimize risk from server ransomware like what Krebs has described.

Top on the list is to keep plugins like shopping carts and blogging components up to date at all times. Generally with web vulnerabilities, as soon as a fix is available, attackers will have the information needed to start scanning for and exploiting vulnerable systems.

My second piece of advice to web site owners is that the web server should not be the sole repository for the site source code, data, and security certificates. Source code should be developed on a development server, checked into a revision tracking system, and pushed from there onto a separate production server. Data files and databases should also be regularly replicated such that the system can be easily restored onto a fresh server with minimal interruption.

Finally, it is important to express that a production web server is not a workstation and should not be treated as such. There should not be anything stored in home directories apart from possibly some basic configuration files.

Following these three steps should go a long way to keeping ransomware from holding your business hostage.”

Lamar Bailey, Vulnerability and Exposures Team Lead at Tripwire :

“The holiday season is the perfect time for attackers to target online shopping sites since the increased traffic means more potential targets. Businesses that primarily sell on the internet need to be diligent in assessing their sites for vulnerabilities, enact strict change control, and configuration management. Attackers will be looking for ways to breach sites or install malicious code like ransomware to infect customers.

Consumers need to make sure they keep their systems patched and be cautious of shopping sites that seem too good to be true or look strange. Advertising extremely low prices on popular items is a technique used to draw in shoppers and targets.”

Ken Westin, Senior Security Analyst at Tripwire :

“Ransomware is becoming an increasingly lucrative form of cybercrime. This evolution of targeting servers comes from cyber criminal syndicates learning that most ransomware payouts have come from businesses. Targeting vulnerabilities in web applications is also low hanging fruit, as the process of scanning for and infecting vulnerable systems can be easily automated.

These groups are leveraging Tor and Bitcoin to anonymize themselves so that tracking down the perpetrators is almost impossible. The best thing that businesses can do to prevent a compromise such as this is to harden their systems, ensure web applications are constantly and immediately updated when new patches are available and continuously scan their systems for vulnerabilities. As cyber criminals are successful in generating revenue from this new ransomware technique, you can expect to see new forms appear that are much more aggressive and target newly discovered vulnerabilities much more quickly.”

About Tripwire
Tripwire logoTripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence.

If you are an expert on this topic:

Submit Your Expert Comments


In this article