How (in)vulnerable would Ubuntu be to encryption ransomware?

Question

Edit: This is different from the suggested duplicate. The suggested duplicate is about viruses and antivirus in general. This question is specifically about encryption ransomware, how it can run, and whether it will affect encrypted folders.

These days, malicious software seems to be infecting Windows computers, encrypting their data against their will, and asking for a Bitcoin ransom in exchange for the encryption key.

I suppose it may be unlikely that anyone would code ransomware for Linux, but let's say someone did:

In order for such a software to run "successfully" on an Ubuntu machine, would the user first have to run it and give the sudo password? Is such a threat conceivable on Ubuntu without the user doing this?

If the users files were already encrypted, would that protect against this? Could a ransomware program, if unwittingly installed by a user (who also confirmed with the sudo password), take even your pre-encrypted data hostage?

In general, how (in)vulnerable is Ubuntu to encryption ransomware, and how careless/unsavvy do the actions of a user have to be in order to actually have his or hers data taken hostage?

Ubuntu is not invulnerable to ransomware, but, same as on windows, the user will need to install it. — mikewhatever, Jan 22 '16 at 08:20
Possible duplicate of Do I need to have 'antivirus software' installed? — dr_, Jan 22 '16 at 10:26
As vulnerable as any filesystem not write-protected, OS's doesn't matter. — Braiam, Jan 22 '16 at 17:47
Simply put, anything that's vulnerable to rm -rf --no-preserve-root / is also vulnerable to ransomware. — Ajedi32, Jan 22 '16 at 19:08
@mikewhatever It Ain't Necessarily So. JavaScript Ransomware is now a thing. Time to install NoScript or ScriptSafe. — tjd, Jan 22 '16 at 19:47

score 10 · Accepted Answer · answered Jan 22 '16 at 11:22

In order for such a software to run "successfully" on an Ubuntu machine, would the user first have to run it and give the sudo password?

No, I would assume the data is your personal data and "sudo" is needed for system files.

If the users files were already encrypted, would that protect against this?

No. Data is data. Encryption plays no part: the ransomware will lock the data itself

Could a ransomware program, if unwittingly installed by a user (who also confirmed with the sudo password), take even your pre-encrypted data hostage?

Yes. They would not be able to VIEW the data but that was not their intention. Nor is encryption in any way important: they lock your "container".

In general, how (in)vulnerable is Ubuntu to encryption ransomware, and how careless/unsavvy do the actions of a user have to be in order to actually have his or hers data taken hostage?

Someone first has to create a situation where you and many others are willing to download and install their software. That is a hurdle even virus software writers have not been able to take.

The whole idea of ransomware is to target as many users as possible in the shortest time frame possible.

As soon as 1 Linux user gets targeted and they actually get his/her data tainted all hell would break loose and within minutes all of us will get informed in some sort of way. Look at what happened when the OpenSSL bug appeared. In a matter of minutes all the IT websites had a story to tell. Same with the kernel bug that appeared 2 days ago. Everyone jumped on it. If it happens I do not see this happening to more than a few users. By then all of us got informed or if possible there will be a fix for the method they used (like a hole in the kernel or in a browser that they exploited).

Most of us use Ubuntu Software Center. How likely is it that this malware ends up in Ubuntu Software Center? Next we use PPAs. The information for those PPAs we get from sites like omg.ubuntu.co.uk or webupd8 or from trusted Ubuntu channels.

That is also the difference between Linux/Ubuntu and Windows: Windows users are told to download and install software from any website they can find it. We mostly do not do that. So the amount of crap you can download for Windows is several times higher than for any other operating system. Makes Windows an easier target.

> Someone first has to create a situation where you and many others are willing to download and install their software. => that's the most common vector, yes, but an RCE is another possibility. That could be through your browser or any other network service (even a bug in the wifi module?). Ransomware would just save them the trouble of finding a privilege escalation vuln. — Bob, Jan 22 '16 at 16:29
I am always amazed when I see a windows user install a software by typing the name in google and clicking on the first link without wondering about the validity of the source (that would not be all windows users, obviously, but at least several that I know) — njzk2, Jan 22 '16 at 19:10
@Bob yes true. See the kernel bug 3 days ago. But that requires thorough coding skills so that leaves the code executioners out. I would believe social engineering would be a bigger issue than RCEs. — Rinzwind, Jan 22 '16 at 19:21
"As soon as 1 Linux user gets targeted and they actually get his/her data tainted all hell would break loose and within minutes all of us will get informed in some sort of way." Well, maybe. If it's a Google employee's computer, things will probably go crazy that quickly. But if it's just the average Joe's laptop, it might take longer than that for word to get around, if it happens at all. — ArrayBolt3, Aug 23 '22 at 00:20
@ArrayBolt3 oh but we have real life examples: Mint that messed up their wordpress access exposing their ISO hashes. Someone from the NSA maintaining openssl and adding backdoors. The average Joe is inlikely to get into our systems. We do not have that many entry points (we do not run servers for instance) — Rinzwind, Aug 23 '22 at 06:51
@Rinzwind I meant if the average Joe got ransomware attacked. Obviously a script kiddie is going to have a seriously hard time finding a 0day and leveraging it properly. — ArrayBolt3, Aug 23 '22 at 13:48

score 9 · Answer 2 · answered Jan 22 '16 at 11:04

9

In order for such a software to run "successfully" on an Ubuntu machine, would the user first have to run it and give the sudo password?

Run it, yes, of course. Give the sudo password, no. The sudo password is needed in order to modify system files or settings. However, ransomware encrypts the user's personal files, which are fully accessible by the user without a password. The sudo password would be needed to encrypt files of other users, however.

If the users files were already encrypted, would that protect against this?

No. The ransomware would encrypt the encrypted files, so that when you try to decrypt them with your original key, decryption would not work. Pictorially, you lock your files inside a box (of which you have the key), and the ransomware locks your box inside a larger box, of which you do not have the key.

answered Jan 22 '16 at 11:04

fkraiem

12,555
4
35
40

So all it takes is for an unwitting user to install such a malicious software, and then the damage is done? – Fiksdal Jan 22 '16 at 11:07
2

Yes, because a user always has full control on his or her own files. Without the sudo password, however, damage will be strictly limited to that user's account. – fkraiem Jan 22 '16 at 11:11
1

Couldn't I just remove the encrypted files and restore them from backup? – Jos Jan 22 '16 at 11:54
7

You can always restore the files from a backup, obviously... – fkraiem Jan 22 '16 at 11:56
In that case, I'm not vulnerable. I thought these extortion schemes worked by encrypting an entire file system, in which case a full ]restore might be impossible. – Jos Jan 22 '16 at 12:00
4

They certainly don't encrypt the entire filesystem, in that case the system would no longer boot and the user would have no way to pay up. They encrypt individual files which are presumed to be important to the user (documents, pictures, etc.). If the user has a backup, then he can restore the files from it, but many people don't. – fkraiem Jan 22 '16 at 12:04
@fkraiem If your sudo settings are set to not re-ask the password for a certain period, is there a potential for rogue software to get system access if the user has recently used sudo themselves? – TripeHound Jan 22 '16 at 12:34
1

@TripeHound It depends. In many cases the sudo-authorization is per pty/tty/terminal. Additionally, it would always be a good measure to wipe and reinstall before restoring backups to ensure there aren't ransomware executables hiding in random per-user locations. – nanofarad Jan 22 '16 at 13:26
@Jos Assuming, of course, that the backup is not accessible to the ransomware. This means a backup that is in some manner physically disconnected from the host: an unpowered external drive, for example. You would have to expect such ransomware to scan all attached block devices for anything resembling a data storage container (traditional file system, LUKS container, LVM volume, ... you get the idea). – user Jan 22 '16 at 19:36
@MichaelKjörling Thanks. I feel quite safe storing my backups over SSH. :-) – Jos Jan 22 '16 at 23:32

How (in)vulnerable would Ubuntu be to encryption ransomware?

2 Answers2

Linked

Related