We’re sorry, your browser appears to be outdated.
To see the content of this webpage correctly, please update to the latest version or install a new browser for free, such as Avast Secure Browser or Google Chrome.

Not sure which solution is right for your business?

Linux ransomware: How to protect your business

Protecting your business from ransomware is challenging, particularly when a variety of operating systems are in use, each with their own levels of security and risk. With employees likely to be using a combination of Windows, MacOS, Linux and mobile operating systems, it can be difficult to be sure your business security is consistent.

This article looks at Linux ransomware: What it is, how much security it offers, the different types of ransomware that target devices running Linux, and what you can do to protect against its threat.

Try the Avast Business Hub FREE for 30 days

Enjoy enterprise-grade security whatever the size of your business. Download the Avast Business Hub and try it for 30 days, risk-free.

A man in a blue shirt holds a paper coffee cup while working on a desktop computer.

What is Linux ransomware?

In general terms, Linux ransomware is a type of malware that can attack systems based on Linux operating system (including distributions such as Ubuntu and Debian). This type of attack will infiltrate a device or network, identify important documents, and encrypt them. Often, the first time an attack is noticed is when a message is sent demanding payment for the return of the encrypted files. For an individual this is terrifying, but for a business it could potentially cause irreparable damage to operations and customer trust.

Is Linux safe?

While Linux has a reputation for providing strong security measures, making it a popular option for business servers, the truth is that no operating system (OS) is completely safe from malware attacks. The nature of malware is such that human error can often be the cause of a breach – through phishing, using weak passwords, or failing to implement updates when they are available.

One of the positives for Linux users is that security updates are not only regular, but are generally considered to be highly effective, giving your system some of the best OS security available.

Another positive is that Linux automatically assigns restricted access permissions, meaning that if a malicious hacker gains access to a user account, it is less likely they will be able to access secure data or gain admin controls.

Windows and Mac operating systems are more widely used than Linux, but bad actors know that Linux is growing in popularity as the system for business servers. By gaining access to a Linux system, hackers are much more likely to be accessing a server rather than a single endpoint. For this reason, businesses should not be complacent – you must use antivirus software to reduce the risk of being attacked.

Ransomware on Linux: What happens?

Linux ransomware is an increasing concern for businesses using Linux servers. Understanding the process is vital for being able to spot suspicious network activity and other red flags. The approach from attackers varies, but the following represents the typical stages of a Linux ransomware attack.

1. Exploit vulnerabilities

To access a network and spread, Linux ransomware generally relies on the identification of vulnerabilities. This could be as simple as an unpatched system process or a flaw in a service. The vulnerability may not impact daily use and could easily go unnoticed.

Some forms of Linux ransomware will use scanners to identify SQL injection vulnerabilities that could provide admin access. Applying updates and fixes is critical to ensure that known vulnerabilities are patched.

A diagram showing ransomware attaching itself to a document folder on a computer.

2. Set up

Once the ransomware is in place, it will request the download of malicious executables (typically a worm, Trojan, or virus), which can then be positioned in the network’s local directories. At this point, it will begin to function. This could mean giving itself certain access permissions and the ability to run at boot or in recovery mode.

In some cases, the ransomware will use privilege escalation to access features typically used only by high-level administrators. This bypass means that the malware could view and edit any data.

A diagram showing ransomware positioning itself in a network's directories.>

3. Scan

The ransomware will scan the system looking for shared folders and files with specific extensions. These targets are predetermined and are likely to include document files (.PDF, .DOC) and software related to the cloud or network storage.

The malware may still not have been noticed by your business, but it could have established itself on your server and already targeted the files it will hold for ransom.

A diagram showing ransomware scanning a system and identifying specific files to target.

4. Encrypt

At this stage of attacking a Linux system, the ransomware will create an encrypted version of the target files, removing the original. Depending on the type of encryption used, this could be irreversible.

Many encryption methods are known as asymmetric, as they use a pair of keys to encrypt and decrypt data. Typically, one key is public and visible, but the other is private and held only by the creator. The ransomware will contact the cybercriminal’s server to get a public key to begin the encryption process.

A diagram of a computer window, displaying an encrypted document alongside the image of a padlock.

If devices are not connected to the network at this point, the attacker will wait until the users are back online before also encrypting their files.

Common types of encryption include:

  • AES – the Advanced Encryption Standard (Rijndael) is a standard created by the U.S. National Institute of Standards and Technology. Keys can be 128, 192, or 256 bits (the higher the number is, the more complex the encryption).
  • RSA – is a public-key system that was developed in 1977. Its name is an acronym of its three creators: Rivest-Shamir-Adleman. They are typically 1024 or 2048 bits long, making them difficult to break.

5. Demands

In the final stage, the demands of the extortion are made through a ransom note. This may be in the form of a startup message, a document placed on a desktop, or in the location of the encrypted files. The ransom will usually include payment instructions. Some will also include a deadline or countdown, which could see the ransom increase over time or threaten permanent file deletion if payment is not made in time.

At this point, the ransomware has completed its task.

A diagram showing an encrypted document on the left side and a ransomware demand and countdown on the right side.

Types of Linux ransomware


The first instance of Tycoon was spotted in 2019. It is typically used to attack SMBs and higher education organizations. It can infect both Linux and Windows devices.

System access is gained through a ZIP archive containing a malicious Java image file. An unsecured remote desktop protocol is then used to execute the Java object, which will encrypt the system and leave a ransom note.

Attacks typically offer a 60-hour window for payment via Bitcoin. In some cases, the amount increases daily.


This attack focuses on Linux-based network-attached storage (NAS) devices. Distribution is typically through fake updates and infected files, including ZIP archives.

QNAPCrypt’s point of entry is flawed authentication of a SOCKS5 proxy (an alternative to a VPN that protects data packets during transfer) and has a low detection rate. Once a system is compromised, the malware requests a Bitcoin wallet and a public RSA key from the hacker’s server before encrypting the victim’s data.

Once encryption is complete, the ransom information is left in a .txt file. Each victim is given a unique Bitcoin wallet in which to pay the ransom, helping the attackers avoid detection.


RansomEXX (also known as Defrat777) has become one of the most common forms of ransomware on Linux devices in recent years. It began as a Windows malware but has increasingly been used to attack Linux servers – most notably against the Brazilian government, the Department of Transportation in Texas and Brno University Hospital in the Czech Republic.

This type of ransomware is known as a "big-game hunter” – it is often used to target large organizations and governments in an attempt to secure large ransom payments. Rather than attacking multiple endpoints, the malware heads straight for the server, restricting access to files at their source – making Linux servers a primary target for this type of attack.

RansomEXX is typically delivered through an email containing a malicious Word document. Once opened, a Trojan is downloaded onto the user’s system, encrypting files and generating a 256-bit encryption key. The key is then re-encrypted every second.


Erebus was first seen in 2016 as a Windows-based ransomware. It was used for the first time against Linux systems in 2017 for a high-profile attack on the South Korean web hosting company NAYANA. 153 Linux servers and more than 3,400 business websites were affected. The ransom of $1 million in Bitcoin set a record at the time for the highest fee paid.

Erebus relies on the user clicking on malicious links or opening infected emails attachments. It can also gain access to a system through malicious software, such as fake installers.

The ransomware scans for a wide range of file types to encrypt including databases, archives, and documents. The encryption process used is difficult to crack, as it uses a blend of three different cryptosystems (RSA-2048, AES and RC4). The ransomware also deletes Shadow Volume Copies of the operating system, making recovery even harder.


KillDisk is another ransomware that began on Windows before being adapted to Linux. The Linux version of KillDisk encrypts each file with a different set of 64-bit encryption keys. It then prevents the system from booting by overwriting the bootloader, instead presenting the user with a full-screen ransom note demanding payment in Bitcoin.

The Linux version of KillDisk then varies from Windows: The keys required to decrypt the data are not stored locally or sent to a server during a Linux attack, meaning that the encryption tool was most likely written to be destructive rather than for extortion. If no encryption key exists, the files are unlikely to ever be recovered, regardless of whether the ransom is paid.

Protect against Linux ransomware

Linux ransomware is a growing threat, particularly for business users. Actions that you should take to protect your business against ransomware attacks include:

  • Install updates regularly. All servers and endpoints should be kept updated. Security patches and software fixes should always be installed as soon as they are available.
  • Providing cybersecurity training for staff. To minimize human error, it is vital that all staff have a foundational level of cybersecurity training. Avast’s Cybersecurity Quiz will help you to understand your staff’s understanding and help to identify weak points that can be improved with training.
  • Restrict access permissions. User account permissions should, by policy, be kept to a minimum. Everyone has access to only those files and applications required for them to complete their work.
  • Back up data. Keeping secure backups of data is critical for minimizing the potential damage of an attack.
  • Establish a security strategy. Many attacks rely on human error to gain access to a network. This risk can be significantly reduced by implementing a security strategy that includes staff training, implementation of security software, and implementing best practice around strong passwords, safe emails, and endpoint security.
  • Conduct regular inspections and vulnerability assessments. Systems should be monitored and carefully assessed at regular intervals. Event logs should be reviewed as part of this process to identify suspicious activity.
  • Have a response plan. In the same way that an office has a fire safety plan, a ransomware strategy should be in place to ensure that staff know what to do in the event of an attack. The aim is to minimize damage and ensure a smooth recovery.

Find out more in the article “How to secure your Linux server”.

Advanced antivirus for Linux servers

While Linux offers some of the best OS security available, it is not enough on its own to keep your business data and server safe and secure. Protect your company with dedicated Linux malware and endpoint protection.


Almost done!

Complete installation by clicking your downloaded file and following the instructions.

Initiating download...
Note: If your download did not start automatically, please click here.
Click this file to start installing Avast.