The Evolution of Linux Ransomwares

Tejas Girme

Microsoft

Abstract:

Organizations hugely rely on Linux operating systems for development and deployment of applications. Core workloads and processes including file servers, web servers, virtualization software, containers, massive databases, storage, management applications etc. are hosted in Linux systems, making these systems a source and storage for crucial, critical, as well as confidential data. Considering the significance of such highly valued enterprise data, threat actors have actively started targeting Linux operating system with ransomware. In past years, a decline in incidents for Linux ransomwares was observed, after noting the presence of few ones, which mostly focused on file encryption activity. However, recent Linux ransomware focuses on exfiltration and encryption of data for demand of ransom.

This paper will present a thorough analysis of each Linux ransomware, highlighting its evolving techniques and tactics. It will focus on strategical changes employed by adversaries, over the course of time that makes ransomware stealthier and more evasive today. It will also put a light upon the recent ransomware use cases like Darkside, Blackmatter, Revil and Hellokitty. I will conclude by touching upon the defense mechanisms and preventive measures that can be applied for securing Linux environment