Windows, Linux Servers Beware: New Malware Encrypts Files Even After Ransom Is Paid

(Image credit: Who is Danny/Shutterstock)

Ransomware skyrocketed from obscurity to infamy in no time flat. Headline-grabbing campaigns like WannaCry, Petya and NotPetya preceded a substantial increase in the number of small attacks using similar techniques to extort unwary internet users. Now, researchers at Palo Alto Networks have revealed new malware that carries on NotPetya's legacy while combining various types of threats into a single package.

The researchers, dubbed Unit 42, named this new malware Xbash. It's said to combines a bot net, ransomware and cryptocurrency mining software in a single worm and targets servers running Linux or Windows. The researchers blame an entity called the Iron Group for Xbash's creation, which has been linked to other ransomware attacks. The malware is thought to have first seen use in May 2018.

A quick refresher on ransomware: it's a form of malware that encrypts the files on a victim's system and demands payment in exchange for their restoration. These fees are usually paid in Bitcoin, which is harder to track than a traditional currency, and the idea is that sending the payment will prompt the attackers to share the password used to encrypt the victim's files. If that happens, access to those files should be restored.

The problem is that it doesn't always happen. Unit 42 said that Xbash, much like NotPetya, doesn't actually have any features devoted to data restoration. It still asks for a ransom--and 48 victims have paid roughly $6,000 in Bitcoin to the attackers so far--but those files will remain encrypted even if it's paid. Xbash's ransom could be little more than a red herring meant to disguise the true goal of destroying its victims' data.

Unit 42 said Xbash functions differently based on what operating system it encounters. Linux devices are subject to the ransomware aspect, and they're also used to create the malware's bot nets. Windows devices, on the other hand, are used for cryptocurrency mining and self-propagation. Targeting both allows Xbash's operators (likely the Iron Group) to create as much chaos as possible, no matter what server they have compromised.

Xbash also has a feature that allows it to examine and potentially compromise an organization's intranet. This feature isn't currently enabled, but Unit 42 warned that if it is activated, "this intranet functionality could make Xbash even more devastating" than it is now. Internal networks often feature less security than external ones; compromising those networks could allow Xbash to interfere with an organization's vital services.

Unit 42 has discovered four versions of Xbash so far, and the researchers said that "code and timestamp differences among these versions show that it’s still under active development." That development could be used to introduce new functionality, enable the intranet-targeting feature already present in the malware, or help Xbash better evade detection. Active development means the malware's threat is constantly evolving.

The best way to mitigate the damage caused by things like Xbash is to regularly back up important files, take all the usual security precautions and make sure nobody pays the ransom. Despite its name, ransomware is fast becoming something more akin to 'extortionware,' so it's better not to hand over the Bitcoin than to feed into this scheme.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • USAFRet
    Backup
    Backup
    Backup
    Reply
  • Christopher1
    USAFRET: Expensive expensive expensive.
    That is why many businesses do not do backups on a regular basis today.
    Reply
  • spdragoo
    Usually, the business that says "it's too expensive" is only considering the actual cost of backing up their data & system (or to invest in preventative software protection)...& not considering the potential cost should they be hit with ransomware & didn't back their data up. The cost of data backup software & extra storage devices (even including the extra cost to pay the personnel to run the equipment) is almost 100% guaranteed to be much, much lower than the revenue they'll lose because of halting operations while rebuilding their data from scratch...not to mention the cost to their reputation among their customers (although it's considered an "intangible" asset, it tends to have a profound impact on the bottom line).
    Reply
  • Peter Martin
    yeah, that's a lamo supremo excuse. i guess they can afford to go out of business then.. lol

    Management by Hope never works... rofl (MGT 101)
    Reply
  • stdragon
    21330853 said:
    USAFRET: Expensive expensive expensive.
    That is why many businesses do not do backups on a regular basis today.

    Loss of data is one of many reasons a company can go out of business.

    Its one thing to have a natural disaster strike an take out physical assets and property. Those can be replaced (if you have insurance). But if you've lost all your data, essentially you've lost your entire business with the exception of starting all over with repeat business via an existing customer base. And even then, they will have to come to you if you don't have any documentation on how to reach back out to them.

    Reply
  • Peter Martin
    Maybe that’s what they’re hoping for it to collect on the insurance
    Reply
  • USAFRet
    21330853 said:
    USAFRET: Expensive expensive expensive.
    That is why many businesses do not do backups on a regular basis today.

    Which is more expensive?
    A good backup routine, or loss of all your data and multiple days/weeks of downtime?

    I know...many managers can't think that far ahead. Or home users.
    But we see that here every day, multiple times a day.

    Be it a dead drive, or some virulent virus, or whatever.
    "PLEASE!! I need my stuff back!"

    For a business, with 50 users at $200/day each...doesn't take much downtime to justify the cost of a backup situation.
    Or..."That was our whole order chain from the last 6 months."

    Too bad, so sad.
    Reply
  • Kenneth Hans
    'Discovered' or 'created'?
    Reply
  • rantoc
    Yeah backup! What ever you do DON'T pay - It only ends up to encourages more of that type of attacks.
    Reply
  • Peter Martin
    Never negotiate with terrorists
    Reply