In the context of a pandemic and the advancement of digital transformation, most companies have adopted work at home. With that change, essential and confidential data have become even more exposed. As the number of network access points increases, it becomes more vulnerable to attacks and attackers are taking advantage of this situation.

Several security reports and warnings point out an increase in the number of cybercrimes after the beginning of the COVID-19 pandemic and the adoption of remote work.

Note: Suggested read - Ransomware Examples

According to the FBI, cyber-attacks caused losses of almost $ 4.2 billion in 2020. This number represents a 20% increase compared to the previous year. In recent reports, Verizon and Europol also claim that digital attacks are booming.

One of the most recurring threats in these reports and warnings is the subject of this article: ransomware. As one of the most dangerous digital threatsransomware is malware that encrypts files and systems. All access is blocked until the user pays a ransom.  It is a sophisticated threat that has evolved a lot over the years, adapting to different situations, platforms, and operating systems.

This article lists the most famous Linux ransomware attacks and explains how to protect your Linux-based operating system from ransomware.

Linux operating system

Why is Linux a Target of Ransomware?

Linux is on the list of the most used operating systems, both by individual desktop users and by organizations running servers. More importantly, Linux powers the Internet with 74.2% of all web servers running on it. This is the main argument that explains criminals’ interest in using ransomware against Linux users. 

Exploiting loopholes in one of the most significant operating systems in the world has the potential to generate a large number of victims. It is also an entry point to valuable business data

When we talk about gaps and flaws in operating systems, most of the time the problem isn’t the system itself but the way it’s used and managed. A Verizon report states that the main vectors of ransomware are brute force attacks, stolen credentials, and malicious emails, such as phishing. Additional vectors are also problems of misconfiguration, patch management, and untrained SysAdmins.

Ransomware Attacks on Linux Systems

The three most famous Linux ransomware attacks.

1. RansomEXX

RansomEXX (or Defrat777) is one of the most common recent ransomware attacks against Linux. This ransomware attacked several high-end targets in 2020 and 2021, including:

  • The Brazilian government network.
  • The Texas Department of Transportation (TxDOT).
  • Konica Minolta.
  • IPG Photonics.
  • Tyler Technologies.

RansomEXX is a C-based 64-bit ELF binary compiled with the GNU Compiler Collection (GCC). The ransomware is human-operated, so threat actors need time to compromise a network, steal credentials, and spread across devices.

When activated, the ransomware generates a 256-bit key that encrypts files within the reach of an AES block cipher. A public RSA-4096 encrypts the AES key, but the attack also includes a thread that re-encrypts the AES key every second.

Unlike most Trojans, RansomEXX does not have:

  • C&C communication (C2).
  • Termination of running processes.
  • Anti-analysis tricks and traps.

RansomEXX is a highly targeted attack. Each sample of the malware contains a hardcoded name of the victim’s organization. Both the encrypted file extension and the email address for contacting attackers use the victim’s name.

2. Tycoon

In recent years, one of the most common Linux ransomware in the world is Tycoon. The first cases of this ransomware occurred in late 2019 when hackers went after:

  • Higher education organizations.
  • Companies in the software industry.
  • Small and midsize businesses.

The Tycoon payload is a booby-trapped ZIP archive with a malicious Java Runtime Environment (JRE) component. Hackers compile the ransomware in a Java image file to conceal the danger.

Typically, Tycoon hackers breach a system via an unsecured remote desktop protocol (RDP) port. Once inside, intruders compile code into a Java image and create a custom JRE build. The attackers then execute the Java object with a shell script, encrypting the system and leaving a config file with a ransom note.

Tycoon scrambles each file with a different AES key before further encoding data with an RSA-1024 layer. Typically, the victim has a 60-hour window to pay Bitcoins in exchange for the decryption key. Both Linux and Windows OSs are vulnerable to Tycoon attacks.

3. Erebus

Erebus became notorious after infecting a web hosting company in South Korea in 2017. The breach affected 153 Linux servers and over 3.400 client websites. The company agreed to pay an equivalent of $1 million in Bitcoins to restore its digital infrastructure, which was the highest ransomware payout at the time.

Initially, Erebus was Windows-based and exploited a flaw in the User Account Control feature. Hackers later repurposed the program and created ransomware that targets Linux servers. Once inside a server’s network, Erebus scans for more than 400 file types for encryption, including:

  • Databases.
  • Archives.
  • Documents.
  • Multimedia items.

Erebus relies on a fusion of RSA-2048, AES, and RC4 cryptosystems for encryption. The ransomware note is multilingual, which shows an obvious intent to go after a vast range of targets.

4. QNAPCrypt

QNAPCrypt first appeared in July 2019. This ransomware focuses on infecting network-attached storage (NAS) Linux devices. QNAPCrypt typically spreads via:

  • SPAM email campaigns with infectious files (typically Office docs, archives (ZIP, RAR), executables, PDFs, and JavaScript files).
  • Unofficial software activation tools.
  • Fake software updates.

A QNAPCrypt relies on flawed authentication practices in connections through a SOCKS5 proxy. Once hackers gain access to a system and execute the payload, the ransomware reaches out to the hacker’s C2 server for an RSA public key and starts file encryption.

The ransom note is a text file with a personalized message that demands a payment in Bitcoin. Each attack involves a different Bitcoin wallet.

5. KillDisk

Like Erebus, KillDisk started as a Windows-only danger before extending to Linux environments in January 2017.

The Linux variant of KillDisk overwrites the GRUB bootloader to prevent the target system from booting. Once the program launches, a full-screen ransom note takes over the machine and demands a payment in Bitcoin.

The ransomware does not save the cryptographic keys locally nor submit them via a C2 server, implying that KillDisk was originally a cyber weapon and not an extortion tool. Due to the program’s nature, some security experts believe paying the ransom is futile as data recovery is likely impossible.

The No More Ransom Project

If your Linux system has been exposed to ransomware, do you know what to do? 

First of all, the recommendation is not to pay the ransom, as the FBI and other agencies and companies recommend. The best way to begin is to seek expert help on the subject.

Have you heard about the No More Ransom Project (NMR)? 

NMR is a project that brings together the world’s leading security agencies, organizations, and companies to fight ransomware attacks. The project was launched in 2016.

NMR works by providing decryption tools for victims of attacks. It’s estimated that the project has helped more than 200,000 ransomware victims to recover their data, and the best part: for free. 

To learn more, visit

Tips to Prevent Linux Ransomware Attacks

When it comes to ransomware, it’s much more cost-efficient to invest in prevention than remediation. Adopt server security best practices to prevent ransomware attacks and financial losses from happening. Take a look at them:

Check out our Guide to Preventing and Detecting Ransomware. We hope that now, by knowing the power of Linux ransomware and getting our cybersecurity tips, you can keep your data safer, making it harder for hackers to succeed.

This article was provided by Germano Ferreira and Lilo Barros.