back to article Blackhat wannabes proffer probably bogus Linux scamsomware

A new purported ransomware variant is hitting Linux servers, deleting files and demanding payment for the return of lost data. The scam is possibly a bluff, since it does not follow the regular format of encrypting files and leaving ransom notes for slick and automated payment. Information on the attacks is scarce. Bleeping …

  1. g00se
    Linux

    Two words

    PasswordAuthentication no

    (sshd_config)

    1. Doctor Syntax Silver badge

      Re: Two words

      And a third: fail2ban

      1. g00se

        Re: Two words

        Well of course the former obviates the latter

      2. yossarianuk

        Re: Two words

        Or even better - Ossec.

        Like fail2ban but works on multiple sevices, i.e postfix, apache (for site login), etc as well as ssh.

        Also has more IPS features, remote syslogging and interrogatory checking .

    2. Crazy Operations Guy

      Re: Two words

      Better yet:

      PermitRootLogin no

      Allowing remote access to the root account by default is such a terrible idea, I'm surprised Lennart Poettering didn't come up with it...

    3. bombastic bob Silver badge
      Devil

      Re: Two words

      sshd_config - don't forget also:

      PermitRootLogin no

      (probably the more important one)

      then you can allow only SPECIFIC users via 'AllowUsers' 'AllowGroups' etc.

      further reduces the possibility of guessing BOTH the user name AND password, unless you disable passwords entirely.

      I don't favor entirely disabling passwords. that way you can remote in from ANY machine with an ssh client on it, regardless of whether or not you put the appropriate key into the appropriate place, or are on a dynamically assigned IP address, or something similar. then you pick both a cryptic user name AND a hard-to-guess passphrase (not 'correct horse battery staple' but one like it)

      anyway, better than "root:god"

      edit: just saw after posting, someone else posted right before me about 'PermitRootLogin'. great minds think alike. 'race condition', he won.

  2. Crisp

    It is unknown if the attacker actually retains the victim's files

    Has the Bleeping Computer researcher tried monitoring the bleeping traffic from the bleeping ethernet interface?

  3. Valeyard

    redis?

    is this related to the article showing redis as the ssh intrusion vector?

    https://duo.com/blog/over-18-000-redis-instances-targeted-by-fake-ransomware

    1. Midnight

      Re: redis?

      Yup. It's the same thing. Just a different payload.

      http://www.bleepingcomputer.com/news/security/hacked-redis-servers-being-used-to-install-the-fairware-ransomware-attack/

  4. Robert Carnegie Silver badge

    "Classic" ransomware

    I think there may have been data ransom hack attacks before encryption. In that case, "take away the data, offer to give it back for money" -is- the "classic" version.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like