Saturday, April 13, 2024

Live Forensic Techniques To Detect Ransomware Infection On Linux Machines

Ransomware, initially a Windows threat, now targets Linux systems, endangering IoT ecosystems.

Linux ransomware employs diverse encryption methods, evading traditional forensics. 

Still developing, it shows potential for Windows-level impact. Early awareness allows for assessing IoT security implications.

The following cybersecurity analysts from Edinburgh Napier University recently unveiled live forensic techniques to detect ransomware infection on Linux machines:-

  • Salko Korac
  • Leandros Maglaras
  • Naghmeh Moradpoor
  • Bill Buchanan
  • Berk Canberk

Live Forensic Techniques Ransomware

However, the increased use of IoT technologies has brought about interconnected devices without man’s intervention making them susceptible to ransomware attacks, especially in Linux-based IoT systems.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Although there have been efforts against paying ransomware and shifting cyber-criminal activities due to political issues, ransomware is still a significant concern with new ways of evading countermeasures. 

Due to this reason proactive security measures are necessarily vital in protecting the IoT environments from this growing threat.

Response chain (Source – Arxiv)

There 24 major execution experiments were performed with retest across 12 combinations, involving three samples of ransomware on two Linux OS with two permission levels.

In balancing realism and effort, virtual machines simulated cloud environments to external memory dumps and network captures without the ransomware being detected.

Originally designed to be very realistic, the initial design led to lengthy forensic investigations that called for retesting environments to validate unforeseen results as well as removing disturbing elements.

Playbook for experiment execution (Source – Arxiv)

Replacing the Windows ransomware’s lateral movement and encryption of file shares and web server files that also provide user logins, Linux ransomware was not able to achieve very damaging results.

User files were encrypted by Cl0p and Icefire, thereby disabling GUI logins, while Blackbasta malware was aimed at /vmfs/volumes.

Most importantly, none of them used administrative permission adequately, hence MySQL/Sybase, SSH, FTP, or any Samba sharing were all left unharmed although they had been running as root.

Contrary to this approach, in companies where external storage is preferred to be on home or root directories, it might have resulted in less observable impact.

Ransomware activities exhibited by Linux are determined by those observed in Windows.

The research provides insights into the implications of Linux ransomware for the IoT industry.

Instead of encrypting data, criminals may block operations temporarily until payment is made through cyber-attacks on IoT gadgets. 

Linux ransomware requires a lot of work and doesn’t scale well as it has to be specifically developed for each individual target, unlike modular Windows variants. 

IoT solutions with strong security and low market visibility have less threat. The most scalable among these can attack either endpoints, gateways, or cloud infrastructure. 

Further discoveries indicate that encryption techniques like RC4, ChaCha20 as well as AES are used by attackers which makes live forensics challenging compared to Windows platforms. 


Presently, Linux ransomware causes limited harm, but it is expected to change in the future.

Risk management measures are suggested to secure Linux systems to enable risk evaluation and mitigation in the IoT industry.

Here below we have mentioned the recommendations:-

  • Avoid HOME directories
  • Separate and restrict permissions and data access
  • Avoid using privileged users
  • Focus on identifying backdoors
  • Shut down first

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Alert! Palo Alto RCE Zero-day Vulnerability Actively Exploited in the Wild

In a recent security bulletin, Palo Alto Networks disclosed a critical vulnerability in its...

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles