Linux ransomware in the wild
Nice read but nothing particularly special here and it happened months ago. The title is alarmist.
TL;DR: The user ran firefox as root and the attack happened through adobe-flash. Hardly a sophisticated attack.
Not trying to blame the user, just trying to understand: why would someone ever run a web browser as root? A text editor to edit system files, ok, but a browser?
It seems like some variant of the Linux.Encoder.1 (2015):
http://www.zdnet.com/article/crypto-ransomware-strikes-linux...
https://labs.bitdefender.com/2015/11/linux-ransomware-debut-...
probably "python based" and, as mentioned on the gentoo forums, the ransomware mesage is very similar to the one in: https://github.com/jdsecurity/CryptoTrooper
Hmm... I half expected this to be a joke and the post about how they had to compile it themselves and were trying to get the dependencies squared away.
Friends don't let friends run Flash. Does Gentoo have Firejail readily available? That would have prevented this, I'm pretty sure.
This is 7 months old. From March. Title makes it sound like breaking news.
Hadn't thought of it before but it might be an idea to run my browser (Firefox, Kubuntu 17.04) under a separate user that doesn't have access to my main user files.
Might be simplest to just create a user through the DE, then "su -c" from my main user to run the browser?
There is trend of insecurity/vulnerabilities that seems to gain in speed in recent months. Not trying to sound ominous and nothing to really point finger to but it seems like a thing.
Since few months ago I do almost all browsing in carefully set w3m. No javascript at all of course and certainly no flash. I am typing this in vim which is set as default form editor in w3m for me.
Edit: if you are wondering if w3m can work well try looking at HN using w3m, its a real beauty.
That is one of the reasons I am thinking about having /home on NILFS2 ([1] a log-structured file system) in my dabbing with my own Linux distribution. When you have constant snapshots then ransomware can't do much, can it?
Yes, I got hit by this on two separate machines in June or so, they'll break into one, steal all the SSH keys and look through your history looking for more machines to break into. It sucks ass. I suspect that my breakin was because of an outdated Wordpress installation I kept around.
This malware is super thorough and super obnoxious. Keep your machines up-to-date.
> "Yeah, I'm guilty of running FireFox as root."
Noooooooooooooo!
I don't understand from this post why run Firefox as root and why have in addition flash enabled on Linux.
But it's still interest that they bother with making ransomware the first place for Linux.
Fake news. There is no virus on Linux..
Linux ransomware has been around since the fall of 2015. Nothing special, mate.
It doesn't seem to have been mentioned on the forums, which is alarming, but the correct response to finding out your machine has been owned is to shut it the fuck down. Right away. Then boot up a rescue CD, which will have a known working system (read: not compromised), from which you can do some forensic work to find out how you were owned and what data is recoverable.
Take the data you can recover offline and then reinstall from scratch. Don't try to fix it, just recover what you can and throw the rest away.