Ransomware in Trisquel/Ubuntu

10 replies [Last post]
0d54770d

I am a member!

Offline
Joined: 04/09/2016

I've been hearing a lot lately about ransomware, and I was wondering how computers became affected by it, and the ramifications for Trisquel/Free Software.

lembas
Offline
Joined: 05/13/2010

sudo apt-get install ransomware
E: Unable to locate package ransomware

whoopi_cat

I am a member!

Offline
Joined: 10/26/2015

To give just one example, this is the one that hit my mom:

https://en.wikipedia.org/wiki/CryptoLocker

As you can see, GNU/Linux distributions are explicitly immune to its vector of infection.

My purely personal feeling is that GNU/Linux would have to have a significantly larger install base before malicious actors would bother.

If that happened, my (again) simply personal feeling is that Trisquel would be equally likely as other distributions to be vulnerable.

(The exception to this would be, say, if a binary blob in the non-free kernel was somehow targeted.)

onpon4
Offline
Joined: 05/30/2012

Since ransomware targets personal files, a typical GNU/Linux system would be just as vulnerable as Windows if someone bothered to target it (assuming they can convince you to run a trojan horse). You should keep in mind, though, that all kinds of things can destroy personal data, such as a simple hard drive failure. This is why regular backups are essential.

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>a typical GNU/Linux system would be just as vulnerable as Windows if someone bothered to target it (assuming they can convince you to run a trojan horse).

Just to explain clearly the difference.. -> On a typical Windbloows installation all you would need to do is click on a link or open the mail attachment while on any GNU distro AFAIK you would need to FIRST give the file the permission to run as executable, and in order to do that you would need to use the appropriate terminal command (chmod) or do it graphically by right clicking on the file and then selecting the relative tab and again selecting the tiny box that says "allow to run as executable" and then you would need to confirm clicking on the "yes" dialog box.
On the other hand on that preciouss pile of poo known as Magribnowns you would simply need to click on the attachment of the mail the awesome dude sent you..
AFAIK most windows useds disable UAC or at the best ignore it merrily :)

onpon4
Offline
Joined: 05/30/2012

It's not difficult to distribute something with its permissions set to being executable already. This is a normal thing for software which is distributed for GNU/Linux. There's no need to get the user to enter terminal commands; you just need to convince them to extract a tar.gz and double-click on an executable file contained within.

Ransomware doesn't need root access to work, just access to the files in your home directory, so Windows users don't become any more vulnerable to this particular type of attack by disabling UAC.

Regarding attachments, those usually are designed to exploit Microsoft Word's support for macros, but sometimes they're JavaScript files. JavaScript is also perfectly capable of being exploited for malicious behavior, and it gets run just by visiting a Web page.

Sasaki
Offline
Joined: 08/11/2014

And keep in mind that the id of an external hard drive (sdb>sdc) can change after reboot !

This can prevent you from doing operations on a non-desired drive.

CodyH
Offline
Joined: 12/08/2015

I agree completely with root_vegetable. It isn't a matter that malware doesn't exist for GNU/Linux based systems at all and they actually ARE prime targets. Most of the internet's backend infrastructure is some sort of GNU/Linux combination. The real strength from a security perspective for GNU/Linux is that the user doesn't have root access by default. If a malicious program wants to make system changes, it must prompt you for the password. As a user, if you didn't do anything that you believe would require your password, it could likely be some sort of malware.

Also as root_vegetable mentioned, if a PPA or something in a repository were compromised it could also be pushed down to the targets. The recent Linux Mint hack is a perfect example. For those who aren't aware, Linux Mint was hacked recently and the attackers were able to change the ISO images to include a trojan. Anyone downloading the Linux Mint ISO between that time frame had a trojan by default.

As Onpon4 mentioned, ransomware is typically designed because the attacker wants you to pay them to release your files. Trisquel would be vulnerable to a ransomware attack, but if you aren't downloading random things or using any PPA you aren't likely to be infected. If Trisquel itself was compromised as Linux Mint was, it wouldn't make sense to perform a ransomware attack because you likely don't care about whatever is on the clean install anyway (and by extension the rest of the community would likely become aware extremely quickly if new ISO images did have ransomware).

*As a side note, ClamAV for example will look for Windows viruses on GNU/Linux machines because a file you have might be infected but won't be able to infect the distro. When you send that file out to someone with a Windows box though... bam, new infected bot.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

The real strength from a security perspective for GNU/Linux is that the user doesn't have root access by default. If a malicious program wants to make system changes, it must prompt you for the password.

This is entirely true... but ransomware encrypts the user files, not system files. It needs not prompt for any password (in the same way that you need not input any password to access your files once you are logged).

CodyH
Offline
Joined: 12/08/2015

Completely true. One of the real reasons you would want root access as a ransomware author is to manipulate the log files (which I hadn't mentioned prior to this) and for a couple other reasons. As a malware author, you need to attempt to remove as many traces back as possible. Without root access, when the malware is analyzed later it will be clearly evident to the forensic analyst exactly what happened (path of infection, etc).

But again, yes you are 100% correct root access isn't necessary.

loldier
Offline
Joined: 02/17/2016

Ransomware is cross-platform. They infect you through poisoned sites and exploit vulnerabilities in Wordpress or browser plugins, Flash and JavaScript. Disable Flash and use NoScript. Don't click on dubious attachments in your mail. Keep your files safe in a backup on an external drive that is not connected to your everyday workhorse. Keep your system up-to-date.

https://en.wikipedia.org/wiki/Linux.Encoder.1

http://arstechnica.com/security/2016/04/adobe-flash-update-ransomware-windows-10/

http://arstechnica.com/security/2015/11/new-encryption-ransomware-targets-linux-systems/