Linux Multi-Cloud Ransomware Attacks Expected to Increase

Ransomware-as-a-service has become one of the largest threats to organizations, with cyber criminals in the past five years improving the sophistication of the ransomware while businesses have also added additional layers of cloud infrastructure that can be easily targeted if not properly configured. 

A new report by cloud computing and virtualization provider VMWare, “Exposing Malware in Linux-Based Multi-Cloud Environments”, details the increasing threat of ransomware to multi-cloud platforms, of which Linux is used almost exclusively. 

SEE ALSO: Ransomware Could Be Headed to the IoT

Weak authentication and misconfigurations in container-based infrastructures, such as Kubernetes, Container Linux and Photon OS, are two of the primary ways attackers are able to infiltrate cloud-based environments. 

Once inside the environment, attackers will often implement a ransomware program that forces the organization to pay for access to their data or control of their platform or the cloud-services are rerouted for crypto mining purposes. 

In the second instance, VMWare Threat Analysis unit found that the Monero cryptocurrency, infamous for its hard-to-track payment system which has made it a favorite of the dark web, was the currency 89 percent of attackers would mine on their stolen CPU cycles. 

Most of the countermeasures to address ransomware in recent years have been targeted at the Windows operating system, however, this focus is misguided, as Linux has become the primary operating system for a lot of ‘behind-the-scenes’ computation, such as cloud computing. 

See Also: Continuous Intelligence Insights

This lack of focus has also come at a time when ransomware on Linux is becoming more sophisticated, but it is still not at the level of Windows-based ransomware sophistication. Attacks have become targeted instead of opportunistic, and new ransomware that targets host images has proved illusive to countermeasures. 

In most cases, attackers are utilizing readily available tools that have been deployed in Windows-based attacks in the past, such as Cobalt Strike, a well-known remote access tool. 

One positive is that Linux has many tools, such as dynamic analysis and continuous host monitoring, which if enabled correctly should prevent ransomware from infecting an organization, or at least warn organizations when they have been compromised. 

Suppliers of cloud-based services should make clients and organizations aware of the enhanced risks and promote smart security and governance features to reduce the risks of ransomware and “crypto jacking”.

“Organizations need to bolster their ability to identify and defend against these types of attacks,” said VMWare Threat Analysis Unit in the report. “Given the distributed, dynamic and heterogeneous nature of today’s enterprise workloads and networks, organizations need to extend telemetry across the entire infrastructure—from endpoints to multi-cloud environments. This will allow organizations to better monitor traffic and identify abnormal behavior to mitigate the impact of attacks on the enterprise, while increasing overall efficiencies and reducing operational costs.”