Linux may not quite stack up to Windows when it comes to the raw number of attacks against systems running the operating system, but threat actor interest in Linux-based servers and technologies has ramped up significantly recently.

That's likely in response to growing enterprise use of Linux infrastructures — especially in the cloud — to host mission critical applications and data, according to a report from Trend Micro this week. The firm identified a 75% increase in ransomware attacks targeting Linux systems in the first half of 2022 compared to the same period last year.

The report also said that researchers from the company spotted 1,961 instances of Linux-based ransomware attack attempts on its customers in the first six months of 2022 versus 1,121 in 1H, 2021.

Surging Linux, VMware ESXi Ransomware Attacks

The increase was consistent with Trend Micro's previous observations about threat actors broadening their efforts to target Linux platforms and ESXi servers, which many organizations use to manage virtual machines and containers.

The security vendor has described the trend as being spearheaded by the operators of the REvil and DarkSide ransomware families, and gaining momentum with the release of a LockBit ransomware variant for Linux and VMware ESXi systems last October.

Earlier this year, Trend Micro researchers observed yet another variant called "Cheerscrypt" surfacing in the wild that also targeted ESXi servers. And, several other security vendors have reported observing other ransomware such as Luna and Black Basta that can encrypt data on Linux systems.

Ransomware is currently the biggest, but not the only, threat targeting Linux systems. A report that VMware released earlier this year noted an increase also in cryptojacking and the use of remote-access Trojans (RATs) designed to attack Linux environments.

The company for instance discovered that threat actors are using malware such as XMRig to steal CPU cycles on Linux machines to mine Monero and other cryptocurrencies.

"Cryptomining malware on Linux saw an increase in the first half, likely from the fact that cloud-based crypto-mining has seen growth by malicious actors perpetrating this threat," notes Jon Clay, vice president of threat intelligence with Trend Micro.

VMware's report also observed expanded use of tools such as Cobalt Strike to target Linux systems and the emergence of a Linux implementation of Cobalt Strike called "Vermilion Strike."

Like Trend Micro, VMware too noted an increase in the volume and sophistication of ransomware attacks on Linux infrastructure — especially host images for workloads in virtual environments. The company described many of the ransomware attacks against Linux systems as targeted, rather than opportunistic, and combining data exfiltration and other extortion schemes.

An Entry Point to High-Value Enterprise Environments

Windows continues to be — by far — the most heavily targeted operating system, simply because of the size of its installed base. Clay says of the 63 billion threats that Trend Micro blocked for customers in the first half of 2022, only a very small percentage were Linux-based. Though there were millions of Linux threat detections in 1H, 2022, there were billions of attacks on Windows systems over the same period, he says.

But the growing attacks on Linux systems are troubling because of how Linux is starting to be utilized within critical areas of the business computing infrastructure. VMware pointed out in its report that Linux is the most common operating system across multicloud environments, and 78% of the most popular websites are powered by Linux. Thus, successful attacks on these systems could cause considerable harm to the organization’s operations.

"Malware targeting Linux-based systems is fast becoming an attacker's way into high-value, multi-cloud environments," VMware warned.

Even so, security protections might be lagging, Clay points out.

"Threat actors are seeing opportunities to attack this operating system as it is more common to see it running critical areas of a business operation," he says. "Because historically it hasn’t seen a lot of threats target it, security controls may be missing or not enabled properly to protect it."

Protecting Linux Environments

Linux administrators need to first of all follow standard security best practices to secure their systems, researchers say, such as keeping systems patched, minimizing access, and conducting regular scans.

Mike Parkin, senior technical engineer at Vulcan Cyber, says it's significant to note the major differences in how Linux- and Windows-based systems are used when assessing risk and managing patching. Linux systems are usually servers found both on-premises and in cloud deployments. While there are a lot of Windows servers, there are far more Windows desktops, and those are often what gets targeted, with the servers then being compromised from that initial Windows toehold.

Further, Linux user awareness around social engineering should be an organizational focus.

"Linux system administrators are, hopefully, less likely to fall for typical phishing and social engineering attacks than the general population," Parkin says. "But the standard advice applies — users need to be trained to be part of the solution rather than part of the attack surface."

Clay meanwhile says the first thing organizations need to do is to inventory all the Linux-based systems they’re running and then look to implement a Linux-based security approach to protect against different threats.

"Ideally, this would be part of a cybersecurity platform where they could deploy security controls automatically as Linux systems come online and model their controls for Windows-based systems," he says. "Ensure this includes technologies like machine learning, virtual patching, application control, integrity monitoring, and log inspection."