The Linux operating system is usually safe from most malware attacks. However, a new type of ransomware is shaking things up a bit. Erebus is a Linux ransomware variant which can impact enterprise servers. It is also the malware which affected the South Korean NAYANA hosting provider.
Erebus Ransomware Could Be a Massive Threat
Most people will recall how a South Korean web hosting service provider was affected by a ransomware attack not too long ago. Despite the company’s best efforts, it was forced to pay US$1 million worth of Bitcoin to regain the use of its servers. It was unclear which type of malware was responsible for the attack, considering that the company’s Linux servers were affected. It now turns out this was the so-called Erebus ransomware, which is primarily designed to infect Linux devices.
There is a lot more to this malware than originally assumed. Erebus is capable of bypassing User Account Control settings on the Linux operating system, making it a very potent threat. Analysis by Trend Micro has showed how this malware is a logical evolution of various exploit kits in the past. This may indicate that the ransomware has a sophisticated developer running the show, which could hint at future versions of Erebus hitting the market.
Distribution of this ransomware seemingly occurs through malvertising campaigns. As we have highlighted on multiple occasions, malicious website advertisements are very hard to counter, unless one blocks all ads in the browser. Even then, some types might still show up and successfully distribute their payload. The campaigns used for Erebus direct victims to the Rig exploit kit, which subsequently infects the target computer.
It appears Erebus encrypts files using the RSA-2048 encryption algorithm, which is practically impossible to crack. A whopping 423 file types are susceptible to this ransomware attack. The attack against the South Korean web hosting service provider was not random either. The malware’s command and control servers are located in the same country. Although it is unclear if the servers have been shut down, it seems the ransomware is still actively distributed.
To make matters worse, Erebus is now more powerful than its previous iteration. It poses significant risks to all Linux servers worldwide. The ransomware payload is executed after systems are rebooted, and it employs UNIX’s Cron utility to verify that the ransomware is still running every 60 minutes. Right now, getting rid of the malware will cost you approximately 5 BTC, though that price was twice as high just a few weeks ago.
The top priority now should be to properly secure Linux servers and systems all over the world. That is much easier said than done since there are many different distributions from which to choose. Sorting out privileges on large-scale networks should be one of the first steps along the path to properly secure file systems. Monitoring network traffic would be the next logical step, followed by upgrading firewall rules. Now would be the best time to start looking into data backup solutions as well.