I may be wrong, but these days doesn&#x27;t malware have a loader (which has a hook in the boot cycle at some point) and a payload (which usually poses as an innocent file tucked away on your system somewhere). Even if you wholesale recover your data and include the payload, there is no loader hooked into your newly-installed system, rendering the payload a digital bullet without a corresponding gun. As far as I&#x27;m aware, infecting your MP3s or JPEGs was more something ye olde worms did, no?

&gt; from which you can do some forensic work to find out how you were ownedIt&#x27;s worth noting that if you are really serious about doing forensics and investigating the attack, then shutting down can be pretty destructive.&gt; what data is recoverable.Another point I&#x27;d make is that try to recover as little as possible from the infected system and prefer using clean backups instead.I agree on the overall sentiment though, attempting to recover a infected system is unnecessarily risky. Nuke it from the orbit, it is the only way to be sure.

Ironically, &#x2F;dev&#x2F;mem has been disabled to counter malware, otherwise you could do<pre><code> dd if=&#x2F;dev&#x2F;mem of=~&#x2F;mem.img 
</code></pre>
to obtain an image dump which may contain the decryption key.

well, when wannacry was around, you could &quot;salvage&quot; the decryption key from an infected machine before it was rebooted.not saying your idea is bad advice but you need the full picture to counter ransomware attacks

And if you are paranoid, don&#x27;t wait for proper shutdown, but pull the power plug. Don&#x27;t bother with the network plug, pull the power plug right away. Some powners don&#x27;t like interrupts and have a nice easter egg in the shutdown or network down procedure, e.g. erasing stuff you might not have backupped (which, I am sure, you have, right?).

&gt; It doesn&#x27;t seem to have been mentioned on the forums, which is alarmingReally?&gt;&gt; Best thing to do when dealing with this kind of stuff is disconnect the network, cold reboot off a livecd and and go from there.&gt;&gt; That means that they got root.
You can&#x27;t clean that up, its a reinstall. [...] 
If you want to do forensics, make a disc image of the install and work on that. You need the filesystem free space too, as that&#x27;s where the interesting stuff will be.

As a developer, my laptop could blow up at any point and I’d lose very little of importance. Maybe an hours worth of work at most.My real concern would be them grabbing secrets, not losing any data.

There’s still the possibility that the infected files have been already committed to version control or backups, before it activated.

Even better - make sure that everything is under version control or backed up so that in such a situation you can just reinstall from scratch without introducing the possibility of &quot;recovering&quot; infected files.

It doesn&#x27;t seem to have been mentioned on the forums, which is alarming, but the correct response to finding out your machine has been owned is to shut it the fuck down. Right away. Then boot up a rescue CD, which will have a known working system (read: not compromised), from which you can do some forensic work to find out how you were owned and what data is recoverable.Take the data you can recover offline and then reinstall from scratch. Don&#x27;t try to fix it, just recover what you can and throw the rest away.

agree. ordinary user is absolutely sufficient. 
I&#x27;ll now present a sophisticated privilege escalation method that most of us won&#x27;t notice (me included, sarcasm off):<pre><code> alias sudo=&#x27;&#x2F;usr&#x2F;bin&#x2F;sudo echo something evil &amp;&amp; &#x2F;usr&#x2F;bin&#x2F;sudo&#x27;
</code></pre>
I don&#x27;t think it matters that he used his root account.Edit:
Maybe I&#x27;m wrong with my opinion, you can disable ASLR using your root rights... <a href="https:&#x2F;&#x2F;askubuntu.com&#x2F;a&#x2F;318476" rel="nofollow">https:&#x2F;&#x2F;askubuntu.com&#x2F;a&#x2F;318476</a>Edit: Last exploit for Linux remote exploitation with Flash is from 2015 <a href="https:&#x2F;&#x2F;www.rapid7.com&#x2F;db&#x2F;modules&#x2F;exploit&#x2F;multi&#x2F;browser&#x2F;adobe_flash_hacking_team_uaf" rel="nofollow">https:&#x2F;&#x2F;www.rapid7.com&#x2F;db&#x2F;modules&#x2F;exploit&#x2F;multi&#x2F;browser&#x2F;adob...</a> or did I miss something here?

There may be things an exploit can do as root that wouldn&#x27;t work under your user to break out of the adobe flash &quot;sandbox&quot;. But yeah, the real recommendation is to get rid of flash and kill it with fire. The security of free software isn&#x27;t fullproof but good riddance from the web to that particular closed source blob.

The whole point of security and good practices is to make harder for those arbitrary codes to be executed (or for whatever other flaws to be exploited, until they&#x27;re fixed). Running a browser as root is not good practice. Doesn&#x27;t mean that something bad will happen, but it&#x27;s more or less line laying the cheese on the ground and expecting mice not to go after it. Even if you have none around, you just shouldn&#x27;t risk it. At all. Unless you know exactly what you&#x27;re doing.

This is why I wish people took mandatory access control more seriously. But to make it really pervasive and useful you need something like what Android has, where the file format mandates MAC profiles for the app. Even Red Hat cannot maintain SELinux profiles for every package in every repo, and even then third parties would complain about having to write the profiles just for RHEL &#x2F; Fedora packages.It is something the entire ecosystem would have to, at once, agree to make happen, and then standardize mandated MAC profiles in every package format. So basically never.

Firefox has some sandboxing on Linux, though it&#x27;s quite recent.

Its possible to run firefox with fewer privileges so that the only thing it could delete are your recent downloads.

Why does it matter if Firefox ran as root or not? I agree it&#x27;s terrible practice in principle. But most people will run Firefox as their ordinary user, which normally has full access to the files in their home directory.If someone gets arbitrary code execution under your user, they can erase&#x2F;encrypt your files. Who cares if the OS files are safe. All the data you really care about will be gone.

stand up an old version of wordpress with poor admin&#x2F;admin credentials on an external box, and wait a couple hours. You&#x27;ll find all sorts of malware on a linux box. ransomware included. Pretty common, though it seems most people who compromise linux machines use them to launch further attacks, not ransomware.
The ransomware linux variants I see all do about the same thing: wipe various &#x2F;var&#x2F;log&#x2F;* logfiles, they encrypt all your mysql dbs, your homedir files, and your webserver docroot.

The title seems fine to me. I knew Linux ransomware was a theoretical possibility, but I didn&#x27;t know it was out there in the world. Or, as they say, &quot;in the wild&quot;.

I&#x27;m not sure I agree with your anlaysis. True the user ran Firefox as root (which is terrible practice), but also had the same problems on a different system that never ran firefox:&gt; Interesting to note that another system, also a sister, seems to have caught the same, and I can&#x27;t recall ever having run anything but VirtualBox VMs on that one, it&#x27;s turned off right now until I figure out a recovery plan, so at least 2 systems to recover, and have one clean one to do so from.That said, it could easily be explained if SSH private keys weren&#x27;t encrypted (passphrase protected) and allowed an easy hop from infected to sister. And if somebody is running Firefox as root, it doesn&#x27;t seem too extreme to assume they might have unencrypted private keys...So it may just be from running Firefox as root, but it&#x27;s still possible it could be from other things.

&gt; TL;DR: The user ran firefox as root and the attack happened through adobe-flash. Hardly a sophisticated attack.That has been speculated but far from proven. On the last page they are still talking about the point of entry and how they are in no way convinced it was FF&#x2F;Flash.

Yeah I thought I was doing alright dual adblock and virtual box.

First time I&#x27;ve seen ransomware on Linux though ... maybe I&#x27;m not paying attention...

Also, don&#x27;t run ads (at least not without protection).

Chrome has a better sandbox than Firefox, for one.A notch better would be running Qubes OS.

Isn&#x27;t that how most ransomware spreads?Here&#x27;s a detailed view on Angler exploit kit which spreads through ad networks[1].What&#x27;s a good way to browse safely without using something like tails? There&#x27;s firejail[2] and obviously I can run it as a different user[1]: <a href="https:&#x2F;&#x2F;news.sophos.com&#x2F;en-us&#x2F;2015&#x2F;07&#x2F;21&#x2F;a-closer-look-at-the-angler-exploit-kit&#x2F;" rel="nofollow">https:&#x2F;&#x2F;news.sophos.com&#x2F;en-us&#x2F;2015&#x2F;07&#x2F;21&#x2F;a-closer-look-at-th...</a>[2]: <a href="https:&#x2F;&#x2F;firejail.wordpress.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;firejail.wordpress.com&#x2F;</a>

The article itself mentions running Firefox as root, but there&#x27;s no way the user can be sure that&#x27;s the infection vector.

&gt;TL;DR: The user ran firefox as root and the attack happened through adobe-flash. Hardly a sophisticated attack.While possible, this sounds so spectacularly unlikely that I can’t help but think that you’re just speculating.

Nice read but nothing particularly special here and it happened months ago. The title is alarmist.TL;DR: The user ran firefox as root and the attack happened through adobe-flash. Hardly a sophisticated attack.

You&#x27;re describing a sandbox. You run the security-vulnerable routine inside a separate process and give this process the most minimal read&#x2F;write-permissions that the routine can still work with.Flash itself has been sandboxed inside Firefox&#x27;s Plugin Container since forever and Firefox is getting a sandbox around tabs as we speak.But you can break out of sandboxes. By either exploiting a bug in the OS that bypasses process permissions or by finding a hole in the sandbox that allows you to do things.I imagine, for example, if you want to upload a file, then the tab-process has to talk to the less restricted main-Firefox-process, which has to then open up a file-chooser dialog and give control to the user.But it could for example be possible to somehow malform this request to the main-Firefox-process, so that the file-chooser crashes and just hands over a random file, before the user has even seen the dialog. (Obviously, I&#x27;m not going to come up with an actual security vulnerability on the spot here.)This kind of vulnerability can&#x27;t be fixed with a sandbox. You need some way to upload files, for which you&#x27;ll need filesystem access in some way and to pretty much the entire Home-directory.Theoretically, you could require the user to copy the file into a separate &quot;Upload&quot;-directory and then only have read-permissions to that directory, but that&#x27;s hardly user-friendly and would probably end up with some users keeping their entire Home-directory underneath that Upload-directory.

Seeing as the user&#x27;s main problem is their home directory was encrypted, the root doesn&#x27;t seem like it would make any difference...Better would be easier ways to run browsers (and all applications) inside protected systems of some kind, so even if they are hacked they can&#x27;t touch anything outside their own cache directory, and creating downloaded files.

Probably because they were lazy and just logged in as root &quot;like they do in windows&quot; because they don&#x27;t know how to sudoOr maybe that was not the source of the infection, just ssh enabled with a weak password

It&#x27;s pretty common for noobs to do this when they have messed up permissions, because permissions errors magically go away.The OP on the Gentoo thread seems more than competent enough to know how to fix permissions issues though, so I agree it&#x27;s a headscratcher.

It is quite common among normal users trying to use more secure OSes.Not sure if this is still a thing, but I remember Apple forums used to have people asking how to do that.

well i&#x27;m usually just logged in as root anyway to get rid of those pesky password promts

Not trying to blame the user, just trying to understand: why would someone ever run a web browser as root? A text editor to edit system files, ok, but a browser?

It seems like some variant of the Linux.Encoder.1 (2015):<a href="http:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;crypto-ransomware-strikes-linux-but-attackers-botch-private-key&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;crypto-ransomware-strikes-linux...</a><a href="https:&#x2F;&#x2F;labs.bitdefender.com&#x2F;2015&#x2F;11&#x2F;linux-ransomware-debut-fails-on-predictable-encryption-key&#x2F;" rel="nofollow">https:&#x2F;&#x2F;labs.bitdefender.com&#x2F;2015&#x2F;11&#x2F;linux-ransomware-debut-...</a>probably &quot;python based&quot; and, as mentioned on the gentoo forums, the ransomware mesage is very similar to the one in:
<a href="https:&#x2F;&#x2F;github.com&#x2F;jdsecurity&#x2F;CryptoTrooper" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jdsecurity&#x2F;CryptoTrooper</a>

Hmm... I half expected this to be a joke and the post about how they had to compile it themselves and were trying to get the dependencies squared away.Friends don&#x27;t let friends run Flash. Does Gentoo have Firejail readily available? That would have prevented this, I&#x27;m pretty sure.

This is 7 months old. From March. Title makes it sound like breaking news.

I currently run my kids browsers under my user by doing &quot;xhost +local:; su -l -c &#x2F;usr&#x2F;bin&#x2F;firefox $USERNAME&quot; where USERNAME is the kids login. I may have made changes to enable that, don&#x27;t recall sorry.

Out of the box it&#x27;ll probably tell you &quot;Client is not authorized to connect to server&quot; if you try to run anything X11 as another user.However it should be possible to configure your system such that it doesn&#x27;t like such: <a href="https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;xorg#X_clients_started_with_.22su.22_fail" rel="nofollow">https:&#x2F;&#x2F;wiki.archlinux.org&#x2F;index.php&#x2F;xorg#X_clients_started_...</a>

Another option would be a sandboxing system like xdg-app. AFAIK, there&#x27;s already a xdg-app release of LibreOffice, and an experimental xdg-app build of Firefox.And, of course, there&#x27;s always the paranoid option of &quot;run the browser within a virtual machine&quot;, so an attacker would have to break the browser, then get local root within the VM, and finally find an exploit for the VM, before getting to your files.

Can make the user have read access to specified folders on the main user, seems easy enough.

Uploading files would become a chore, as you&#x27;d always have to copy them over from your actual Home-directory to that Firefox-user&#x27;s, but yeah, it would add another thick layer that attackers would have to get through.Mind that Firefox is also getting sandboxed tabs as we speak, so yet another layer that attackers would have to get through, which wasn&#x27;t in place at the time of this attack.

Hadn&#x27;t thought of it before but it might be an idea to run my browser (Firefox, Kubuntu 17.04) under a separate user that doesn&#x27;t have access to my main user files.Might be simplest to just create a user through the DE, then &quot;su -c&quot; from my main user to run the browser?

There is trend of insecurity&#x2F;vulnerabilities that seems to gain in speed in recent months. Not trying to sound ominous and nothing to really point finger to but it seems like a thing.Since few months ago I do almost all browsing in carefully set w3m. No javascript at all of course and certainly no flash. I am typing this in vim which is set as default form editor in w3m for me.Edit: if you are wondering if w3m can work well try looking at HN using w3m, its a real beauty.

If it runs as root you have much more to worry about, but that&#x27;s of course one of the problems.

Depends on what permissions it has. If it runs as root, it probably could delete&#x2F;mess up snapshots. If it&#x27;s going to do so, especially for non-mainstream filesystems, is another question.

Log-structured file systems work by treating disk space as circular log. They only append and then wrap around. Snapshots are natural consequence.

Only if the snapshots are read-only and&#x2F;or invisible by default; some systems expose snapshots as additional directories under some mountpoint, in which case they just get encrypted as well.

That is one of the reasons I am thinking about having &#x2F;home on NILFS2 ([1] a log-structured file system) in my dabbing with my own Linux distribution. When you have constant snapshots then ransomware can&#x27;t do much, can it?[1] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;NILFS" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;NILFS</a>

Yes, I got hit by this on two separate machines in June or so, they&#x27;ll break into one, steal all the SSH keys and look through your history looking for more machines to break into. It sucks ass. I suspect that my breakin was because of an outdated Wordpress installation I kept around.This malware is super thorough and super obnoxious. Keep your machines up-to-date.

&gt; &quot;Yeah, I&#x27;m guilty of running FireFox as root.&quot;Noooooooooooooo!

But who runs flash on server as root?! If this was the source..

Lots of servers run Linux. Lots of data to hold ransom on lots of servers running Linux.

I don&#x27;t understand from this post why run Firefox as root and why have in addition flash enabled on Linux.But it&#x27;s still interest that they bother with making ransomware the first place for Linux.

Please don&#x27;t post unsubstantively on Hacker News. We&#x27;d like to skip right to gratifying our intellectual curiosity.<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;newsguidelines.html" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;newsguidelines.html</a>

Fake news. There is no virus on Linux..

Wow...voted down for speaking the truth and bringing some actual knowledge to this fear-mongering thread. HN is turning into Slashdot, I see.

Linux ransomware has been around since the fall of 2015. Nothing special, mate.

Linux ransomware in the wild