Your business servers are the most important part of your online presence. It is where you keep your data, files and applications. Without that information online, you cease to exist in the digital world. If your servers happen to get attacked and you end up with any data stolen, you could be worse off than just having been erased – you could get sued by clients who have had their personal and financial information stolen by hackers.
While online security companies have always tried to stay one step ahead of hackers and the creators of malware, it’s proven an impossible task. As long as there are servers out there, the bad guys always seem to find their vulnerabilities. These lapses in security are usually caused by the operating systems’ manufacturers or by the users who are too slow to patch their servers whenever a new loophole is discovered.
Whatever the reason, the creation of malware has never stopped. Just after the initial sigh of relief following an attack, another attack occurs. That is the reality.
Since 2016’s end, there has been a rise in malware software attacks targeting servers and their data. The trend of attacks seems to come from ransomware, a type of malicious software designed to block access to a computer system until a sum of money is paid. The most destructive variations wipe servers clean, requesting money in exchange for data access. Of course, in almost all instances, these threats are unfounded and no one can be certain about the validity of these promises – can attackers deliver on the promise of restored data?
The Threats
Let’s take a look at 3 popular malware threats.
FairWare Ransomware: The first of these destructive operations was noticed in August 2016. Its specialty is in crippling Linux servers, where it targets the web folder and deletes it. Administrators are then told that they need to pay two bitcoins (approx. $2,135.00) if they want their files back.
It was suspected that the attackers didn’t encrypt the lost files, but moved them to one of their own servers – if they were able to keep them all.
Attack victims were first alerted to the loss of data after noticing their websites were down. When they logged into their Linux servers, they found that the home folder for their site had been deleted and that a note titled “READ_ME.txt” had been left behind in the /root/ folder. When they opened the txt file, they found instructions to go to Pastebin – a popular website for storing and sharing text – where a ransom note awaited them.
The culprits are so confident in their heist, they even provide a support email for victims to send in their queries, warning that “no stupid questions” should be asked and that any request to see the data first would be ignored.
They claim to be “business people” who treat their “customers” well, before stating that even the FBI could do nothing to help them. In fact, they say, the feds advise all victims to just shut up and pay up.
Linux.Encoder.1: This is another ransomware that first appeared around November 2015. But it wasn’t until the following year, when it had become too brutal and widespread to ignore, that the tech world finally acknowledged it for the threat it was, finally beginning to work toward a solution. This malware targets Linux servers that ran unpatched instances of Magento CMS.
In this instance, the malware wouldn’t delete files, but encrypt them on their web servers. After an attack, the ransom note left behind would inform the red-faced administrators that their data was still safe, but that a payment was required to decrypt it. The good news was that certain measures were found to recover the data.
Alma Ransomware: This malware is delivered via exploit kits, the RIG Exploit Kit, which are hidden on compromised web servers and then used to find vulnerabilities in visiting users’ web browsers. When found, the faults are exploited to deliver malicious payloads.
Once it has access to the files on the victims’ servers, it starts to encrypt them using its own key. When done, the usual ransom note is left with instructions on how to get the data back. In this case, the victims first have to download an application that has their unique ID (created by the ransomware) and confirms the bitcoin payment has indeed been made before allowing the decryption to go ahead.
Fortunately, ways have been found to defeat alma ransomware attacks without having to pay the ransom.
These examples of ransomware should serve as a warning to any server owners who disregard the constant “nagging” of operating system and software manufacturers, who ask their clients to update their servers on a regular basis. Don’t be one of those susceptible companies… update, update, update!