This, kids, is why distros audit their packages and tell you that you may be hacked if you use something external

Never assume any system is perfectly secure, the sys admin also has a great responsibility to ensure that a system is secure because no matter how secure your OS is, bad practices (like mindlessly giving programs high privileges, downloading from untrusted sources, leaving unused services open, running outdated software, etc.. ) will lead to trouble.

as I've said before, part of my job was to delete viruses from CentOS servers, and we also got a ransomware 10 yrs later in another company, and it targeted a linux fileserver and windows sap server. all those who say linux doesn't get infected are pseudo techie guys who have not dealt with linux servers in their lives.

The reason why linux is called the unhackable os is because 90% of the time your only pkgs are coming from your distro maintainers' server And the other 10% are from building an open source projects.

as long date user of linux ,you don't need a virus or ransom to break the system, you can easly break the system (if you use wrong command , or inappropriate one ,there also dependecies knowns problems that can sometimes do serious dmg if you try to solve them with wrong commands)

I can't imagine that this would be likely to affect users installing from official repos

Can you do linux hardening tutorials? (It seems youtube deleted my comment, sorry for posting twice)

This is why we say that you should always avoid downloading an executable and running it, whenever possible in Linux

How do you not have so much more subs, I’ve been watching you for a very long time, and I think that you deserve more.

Everyone else talking about cyber security but nobody talks about why he records his videos at 12.00 AM which is almost certainly past his bedtime

Well of course Linux can run malicious software, it is after all General Purpose Operating System. But...when it comes to that example: First you needed to download that, outside from package repository, not very many Linux users do so...then you needed to set that file executable...and then you needed to run it...and of course from user account having valuable stuff writable for said malware...

The important thing here is you didn’t run that command as sudo or superuser, meaning the damage it can do is very limited.

keep in mind that this wouldn't be able to encrypt and alter any files outside the home directory of the user that ran the malware, if a user got infected with such malware it won't affect other users, in the case of a server you usually have your database and important files stored outside the home directory, and everyone is advised against using the root user directly or even allowing root login in ssh. so in most cases on you will be fine on a server

At the end of the day, security is a concept that comes down to having sense and sensibility in whatever you do in your everyday life. For computers it's about whether or not you trust whatever you downloaded and take it with a pinch of salt. If you steer away from downloading from untrusted sources then you should keep yourself in pretty good shape

Good thing we have CoW file systems like BTRFS and ZFS. We can rollback file system changes in between snapshots. Basically it can't encrypt all the datasets unless you have root access.

I've question,this ransomware only infected home current user isn't it? It can't infected the whole linux system or home other user? Because linux is modular, in Linux we have file permission(supported by file system') and user level access, and we still input password whenever run command who need access super user level access like sudo. That's point above is not explain in your video? So we have secure Linux system with only remove or disable user who run the Ransomware or infected by it and the system is normal or safe again.

running an ELF file with executable permissions on Linux is not surprising. What would be more interesting for us Linux users is how do you get this file, how does it make itself executable, and how does it run itself in a real environment, as I won't just get a random binary file from the internet and run it.

Honestly, if you would do this, you are just as likely to type rm -rf / I mean c'mon....

I love your channel!

no system is perfectly secure,but a tip for most users is that to not make any file executable on linux without getting it from a trustable source,and ideally get most,if not all programs from a trusted package manager (APT is really good,the AUR is not so good (the AUR is powerful,but definitely not the most secure)) and not off a browser like on windows.

question: how did it work without sudo?

Besides, clamav, iptables to limit outside connections, only using software from the approved repositories, restricting ssh server access with RSA keys.... What else can you do?

now run this elf in a packaged snap with no file system permissions

I would expect the Security Channel to explain the difference between privillege escalation and a script that operates with regular user privilleges. When malware by the same name encrypts an entire computer under Windows vs the user's home folder under Linux, then claiming "there's no difference" is misleading and false. And the message "Linux gets malware too" even if well-intentioned, ends up being the good old FUD tactic of closed-source companies (a term coined when Microsoft's official strategy towards Linux was to spread fear, uncertainty and doubt). There's a good reason Linux dominated the server market and continues to do so.

who the hell would download a random executable from a random place and purposefully execute it in terminal i understand that it can be included as a payload to some program but still you can get every possible program from your package manager, and or from source/official website

For everyone saying, "don't run random executables" what do you say about RCE vulnerabilities for these types of things? Happens all the time.

Who made that file executable as most times a single file will not have executable rights. (Which user owns the file?) Unlike Windows, I do use Windows as well. :)

why i afraid ransomware when i break it every time i trying to fix not working stuff

What's the attack vector for this ransomware because one doesn't just download files and run them on a server, not even Windows, but much less likely on your production Linux server. Any system is vulnerable, castles, servers, it just depends if there are stringent security protocols. ELF stands for executable and linkable format, it replaced the older a.out format but there's not reason to use and extension, you only have to make it executable. Run readelf to find out about the file.

I have seen some companies "security" and it makes me shiver. running web servers as root, downloading random pieces of code form the internet and etc... If you run random binaries form the internet then this happens, the major difference Linux does not auto execute unlike Windows, also most Windows users doesn't separate the admin user from a there main account.

I think ransomware just attack closed-source operating-system (windows, mac, etc), how open-source operating system could be attacked too?

As many said, a lot of our packages come from using distro pkg managers. But also, most of us who use Linux are not average users. If anything harmful is unpacked and installed it is most likely because of oversight, not ignorance.

I don't get why there aren't any mainstream AV tools on Linux... Especially considering more average users are switching to linux these days...

The person or people who wrote this ransomware put in the readme file, "Whats Happen?" instead of "What's happened?" or "What's happening?" Do the language patterns indicate to anyone what country of origin they may have?

Couldn't I just undelete my files to get them back? Assuming I had plenty free space on my drive. Anyway I've never installed software from an untrusted source so I can't say I'm at all worried.

Iv been infected by a koom ransomware I resetted my PC since there wasn't much on it but now some system things stop working like search bar and start menu I can't fix anything by the normal methods shown on yt or any information site

But I don't think it can affect files with different ownership(unless you run it as superuser)

Does running the script as regular user effects directories other than your home directory?

How to protect my ubuntu system???

Now Anti-Malware developers have to panic Windows users who see the possibility of moving to Linux, A well configured and hardened Linux is impossible to hack, Only AppArmor is needed | SELinux a well configured Firewall and a lot of common sense, Besides Linux users are not idiots. Greeting from Argentina

Linux definitely has malware, and it is increasing but the thing is on Linux you use mostly OSS so there's almost no chance of malware, and if the malware slips into the code then there are alot of people looking at the source code continuously soo its very damm hard for malware to slip in but definitely possible

Linux is as vulnerable as Windows if some user decide to run something unchecked from the Internet. But on Windows you get third-party anti malware products.

Wait cant you just go to your encrypted files and enter its properties and set it back to its normal file name. It wouldn't hurt to try but if that worked. Ransomware would be gone already

It’s not About Linux or Windows to make everything secure The Thing that you maintain your Cybersecurity is Your Common Sense

There are too little concrete information and details in this video. How this file works, what or who made it executable etc.

Ubuntu 2004 LTS isn't technically the newest it's the long-term support release I believe there's a 2104 interim release. And 2110 is coming October 14, 2021...

One does not simply execute binaries downloaded from a website or received as an email attachment on Linux.

The only doubt that I have is, if for some reason that malware file ends up in my computer, if I go to properties of the file and select to don't "run as a program" this can be avoided?

My nextcloud server on unbuntu server just got hit 😭. Fully patched system too

Is there such a thing as malware that effects firmware? For me, I store lots of my data, either in the cloud or through removable media - so - I can, effectively, always just reboot and do a clean install (no matter what).

Do you guys know of any linux AV with real-time protection for consumers?

It's strange, because after running that malicious program your operating system did not crash. If the program encrypt all your system file the operating system/Ubuntu should crash, or did the malicious program only encrypt your home folder and other external hard drive, which means that your system file (where your os installed) still secure and not encrypted..?

So they don't only happen in Windows XP

Well, some time ago I ran a public Minecraft server on Ubuntu 20.04 and after some time just found the entire server folder and desktop folder was deleted from the system with the console logs full of errors. I'm not 100% sure but it quite possibly was a remote code execution exploit in MC's server software or even the java runtime itself. Thankfully nothing of any value was on that machine, so I just wiped the SSD and reinstalled (no ubuntu anymore this time though). Now all my MC servers run isolated in their own, dedicated VMs in VirtualBox. I had to learn that that's necessary the hard way, I really didn't want to believe java was that horrible when it comes to security holes until then :/

What I need to know is that Microsoft is building more code for Linux Kernel lately than the open community! This is worrying...

A worldwide bounty on these people and fat rewards for turning them in, would soon put a stop to this.

apple's supplier deserved it because they supply a anti right to repair corporation

about the people saying they stay secure only using packages from oficial distro... it is exactly the scenario where windows fails. A third user using a linux computer gets a mail with malware. This isn't rocket science. Just like with a properly run windows machine.

Unlike pcs, Servers are redundant unless all servers infected at once, what the server maintainers need to do is erase the infected one and use the backup, yeah it may slow down some server but it will be right back in minutes or maybe an hour or two, but if u are using linux as pc be careful though

I suspect that this ransomware can enter Linux servers if the people maintaining them use default passwords and such and misconfigured their firewalls, as I've seen (in authentication logs) lots of failed attempts to log in as various default username and password combinations.

I think the main reason why is simply because most AVs don't support Linux at all, and if no one shares those files with them, there's no way they can add it to their database.

Its extremely difficult not to say nearly impossible this to be deployed on an enterprise server from experienced admins.

always backup on different servers, take at least two sources to backup (all cloud drives together count as one and the files you use to actually work count as zero).

I wonder if Clamav from Cisco can detect that. Also, anyone got a sample of that strain?

The equivalent of double click in Windows is to use the terminal... I mean that will exclude 80% of windows users, if Windows required to use the terminal to do the same, to get infected.

Only 218 files affected? Sounds like it was contained within the leo user account. Even the most minimal Ubuntu 20.04 install with a desktop environment will have far more files. This isn't that interesting.

There are read, write, execute permissions. Maybe there could be an encrypt permission?

I maintain a windows partition and Linux partition on the same drive and periodically do a disk image backup using AOMEI standard edition. I do a weekly backup of the entire drive. I have on occasion restored the Linux partition with no problem. The windows partition is on the drive for gaming. The Linux Manjaro is for everything else.

lots of comments about Linux vs Windows ha ha but how do we get this ransom ware out of the system ?

why on earth a linux user would run a suspicious script without cat?

Have you seen a virus escape a VM? Are there any extra precautions you take? (besides shared files or folders)

My security solution has always been just being poor. No one's gonna hit you if you've got nothing for then to steal

Does it do anything linux specific? E.g go after filesystem snapshots, or try to mount filesystems?

OK, so it's possible to run a program that will encrypt all the files in your Linux system. What's the news?

linux can be affacted by RandsomeWare ?

This is why Ubuntu strongly recommends that we not go into the OS’ files and disable the requirement for entering a password every time we run something as sudo. And besides, with the Linux community's gradual growth we seem to have gotten on the radar of cyberattackers recently; as horrifying as it is given the short supply of antivirus programs that exist for Linux OSes due to how complacent we Linux users have become about cybersecurity, in a way I see the existence of explicitly Linux-targeting malware like this that can run natively on it as a good thing, it's like a rite of passage for us- just like it was for Mac users many years ago.

Thats only possible if the Linux user is signed in with administrator rights. If the Linux user was signed in as a Standard User rights, it would never even be able to execute.

the average linux user is aware enough to use the distro package managers for their software and use trusted sites for the few programs that aren't in the package manager. i have fedora and the majority of packages that i need are in the fedora repos or fedora-adjacent repos (rpm fusion, for example)

Just use btrfs to snapshot your system so you can backup your files and restore them if needed.

Sir do you have any malware analysis course or something like that?

where did u get the malware from? I need it for a test

Linux Support is my specialty and I have NEVER seen Linux Ransomware hit a system in the wild. This is not to say that it couldn't happen... just that it's very rare. Use packages from your repos if you can in production environments - you contact your support vendor Amazon, SUSE, Microsoft, Red Hat and have them package it for you if it doesn't exist if you pay for support. ....also PATCH! I can't stress this enough.

How do they get around permissions when encrypting the disk? I'm assuming it wasn't an infected file from the repo? Maybe they only encrypt the home directory.

Linux is just an operating system like any other. Its just most of software used on linux are open source. Just don't execute any file or script or software from third party sources, unless they are your trusted sources. You always have your package manager to install all open source applications that you will ever need.

So there is ransomware for Linux. But how do you actually get it shouldn't you be able to get most of your stuff from a secured repository?

Please, wallpaper link?

Great video! Recommendations on anti-malware for Linux?

thank you for this video, i came from your coverage of ltt getting hacked

How does malware run on Linux without root password? Surely just by running the command it should come back and ask for root password?

SELinux probably would have prevented this.

btw I use Arch

Are you going to test Kaspersky for the 2021/2022 year?

Can ClamAV detect this kind of malware in files?

Its much more difficult to get something like this to actually run and priv esc to cause system wide damage most of the time compared to Windows. A threat is a threat though for sure.

How do i protect my servers from ransomware

Can we have MacOS ransomware next?

Depending on the number of files, this is not that efficient. I think the best efficiency for ransomware is MTF table encryption of disk storage. If there are many files, the person can end the process before it is finished, not to mention that changing the file names makes it very clear what is happening and prompts quick action from the person to block encryption.

If someone sent me an email and asked me to smash my storage drive with a hammer... I probably wouldn't do it. Why got to this trouble? The only person that would fall for this is obviously an idiot,so why not just ask him to run: rm -rf / in the terminal ? Or better still ask him to transfer the contents of his bank account to yours.

Thanks for the video, how do we decrypt the folders?

I once wrote a program to XOR files. I could do it again for Linux, but that isn't much different from what you did here, except you didn't write the program. So what is the point of your video?