Linux users and administrators are advised to be vigilant as news broke of a dangerous ransomware targeting them. It’s called the Lucky ransomware and it is deployed in a global attack campaign featuring typical file-encrypting behavior as the numerous variants known for Windows. The threat can automatically infect other hosts and thus take down whole networks in a short time.
Lucky Ransomware Acts like “Satan” For Windows
The Lucky ransomware is the newest threat targeting Linux servers, details about its outbreak was posted in an announcement by a team of researchers. The experts note that it follows closely the behavior of Windows-based threats of this type. The ongoing attack campaign shows that this successful practice has been carried over to Linux systems.
Analysis of the source code and mode of propagation shows that it is cross-platform, meaning that future updates to it might actually be used on Windows machines as well if compiled for Microsoft’s operating system. According to the analysis it is very similar to the Satan ransomware used to infect Windows machines.
To infect the target machines the Lucky ransomware uses a series of vulnerabilities:
- CVE-2013-4810 — This is a series of exploits that are identified in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allowing attackers to execute arbitrary code.
- CVE-2010-0738 — This is a discovered issue in the JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 which performs access control only for GET and POST methods. This effectively allows malicious users to carry out attacks remotely.
- CVE-2017-12615 — When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
- A Tomcat web admin console login passwords brute-force attack allowing access to the service.
- CVE-2017-10271 — This is a vulnerability in the Oracle WebLogic server component: Supported versions that are affected are 10.3.6.0.0, 220.127.116.11.0, 18.104.22.168.0 and 22.214.171.124.0. Intrusions can result in the takeover of the server.
- MS17-010 — This is a patch that was released for newer versions of Windows mitigating WannaCry ransomware infections. We wrote adetailed article about it.
- Apache Struts 2 Web Application Framework Exploits — This is the large andwell-known security incident that encompassed various web servers worldwide. A patch was released in March 2017 however this did not stop the attacks.
As soon as the hosts have been compromised the infection script will deploy the ransomware automatically.
Lucky Ransomware Operation: The Infection Process
As soon as the ransomware module is started it will start to encrypt user data files. The first action it does is to read the /tmp/Ssession file. It contains information about temporary activity used by various server components (usually web services). A standard practice is to set an expiration date for them. When they are read by the infection engine it will show the virus the accessed data in the set period.
The listed system files will be processed by the encryption engine and renamed with the .lucky extension. The source code analysis shows that an exceptions list is also available which ignores important system locations. If they are affected then the system may stop working altogether. The target data was identified to include the following file extensions:
bak, zip, sql, mdf, ldf, myd, myi, dmp, xls, doc,
txt, ppt, csv, rtf, pdf, db, vdi, vmdk, vmx, tar,
gz, pem, pfx, cer and psf
A ransomware note is generated in a file called _How_To_Decrypt_My_File_.txt which reads the following message:
I am sorry to tell you.
Some files has crypted
if you want your files back , send 1 bitcoin to my wallet
my wallet address: 3HCBsZ6QQTnSsthbmVtYE4XSZtism4j7qd
If you have any questions, please contact us.
An interesting characteristic is that this ransomware note is also placed in the MOTD (message of the day) which is shown to all users logging in to the Linux machine. When the encryption has completed the module will search for other hosts located on the local network and attempt to infect them.
If the Lucky ransomware is successful in its infection tactics we anticipate that a Windows-based version of it might be developed. As its behavior is based on Satan we expect that it might follow the same RaaS (ransomware-as-a-service) model.