Iranian hackers have created a Linux version of Pay2Key that is actively going after servers, virtualization hosts, and cloud workloads in organizations. Pay2Key.I2, the Linux version, is configuration-driven and needs root access to run. The malware can tell different types of mounted file systems apart and choose which ones to encrypt.
This means it can do the most damage while still letting the host run enough to send a ransom note. The bigger worry is that Linux ransomware is still one of the least studied types of threats in public security research. This is a clear example of how threat actors are taking advantage of that gap by making tools that many organizations aren't ready to defend against yet. This ransomware has a big effect on businesses that use Linux-based infrastructure.
Servers that hold databases, application backends, and virtual machines are now prime targets. Cloud workloads, which a lot of businesses now depend on, are also at risk. Security teams in charge of Linux-based infrastructure should make it hard for users to get root access and keep track of which accounts have extra privileges.
You can lower the risk of persistence mechanisms taking hold by not letting non-administrative users create cron jobs that aren't needed. Companies should also keep an eye out for any unexpected disabling of SELinux or AppArmor, as this is a strong sign that ransomware is running. Keeping backups of important data that can't be changed and stored offline is still one of the best ways to get your data back without paying a ransom.
Click here to learn more about how to keep your computer safe from cyber threats and to get the latest security updates from ZeroOwl and other places. For private help, call the Samaritans at 08457 90 90 90, go to a local Samaritans branch, or go to www.samaritans.org or click here for more information. In the U.S., you can get help by calling the National Suicide Prevention Lifeline at 1-800-273-8255.
