Linux folks, Ransomware attacks can happen to you too

Everyone has been talking about this ‘WannaCry Ransomware’ attack for the past few days. My Facebook TL is filled with links and articles on the same. I was ignoring the news for few days and then people started forwarding text on Whatsapp, funny memes and etc. I finally had to read, just to find out what the fuzz was about.

That’s when I realised, we have experienced something similar two or three years ago. We didn’t know what it was. But we have solved this for a client. It was on the news this time because it was done on a bigger scale. About 200,000 computers in 150 countries have been affected so far.

The Story

One of our long time customers, Varun [name changed] had just started a new e-commerce project with us. They had a magento website which was live and had too many bugs, so we were building a better version of the website using Rails and Spree from scratch. They had around 50 customers placing orders from time to time.

One day, I got a call from Varun around lunch time.

“Magesh, our server is down. Something is wrong. Our Magento developer is not available right now. Can you look into this?”, he asked.

I said yes, got all the credentials from him and ssh’d into his server to find out what went wrong. I saw something we have never seen before. It was weird. All the PHP code files and folders were encrypted (All those files had a .encrypt or similar extension). I tried to open the files but all I saw was random letters, numbers or symbols.

That’s when we figured, someone has encrypted all the files, making it inaccessible for the web server to load the pages and that is why the website was down. I started thinking of the possibility of someone known to Varun doing this to get back at him for some reason. While I was wondering who could have done something as stupid as this. I saw a README-To-Decrypt file inside the same folder which was not encrypted.

Now, that’s weird. Why would someone encrypt all the files and leave a manual to help decrypt them. It doesn’t make any sense. I opened the README-To-Decrypt file and laughed. It read:

If you wish to decrypt all your files, you have to transfer 200$ to this paypal account. some-random@email.com

What in the world is this? Who is this guy? and why did he hack this server?

I called Varun and told him about what I saw. “Magesh, we have to solve this immediately. We are getting a lot of calls from customers. Shall I transfer the payment to the hacker?”, he asked.

I told him, “No Varun. You don’t have to do that. Your server has been hacked because it wasn’t secured. If you have a backup of those code files and the data, I can fix this today.” Luckily, Varun had a backup of all the files. It would have been really difficult if he didn’t have the backup. He then sent us all the code files, database backup.

It was a Virtual Private Server, so we took a backup of all the existing data, erased everything on the drive and re-installed the latest version of the OS. Added a bunch of security settings like disabling root and password login. Adding authorised ssh keys for login and etc. To avoid brute-force attack and unauthorised access. Once that was done, everything was back to normal.

The problem was:

Varun had the server set up by a freelancer a few months ago, who apparently, did not care much about the security just like many other developers in our country who ignore such things.

The unknown hacker used brute-force to find the password for root login and he must have executed a script (ransomware) which automatically encrypts the essential files on the server and holds it like a hostage. Leaving a message asking for a ransom.

What we experienced might not be WannaCry Ransomware. But it was something similar. People think these Ransomwares can only attack Windows machines. Nope, your Linux machine can also be compromised unless you have all the security settings in place.

In fact, the server Varun had was a Ubuntu (Linux) Linode instance, which was hacked. So, if you are a developer, building softwares for people. You need to think of security as the most important thing. Make sure that no one can hack into your server and even if they manage to do it somehow, make sure the critical data is encrypted and is hard to decrypt. For the safety of your customers.

Also, make sure you keep a backup of all the files and data somewhere safe on a different machine. If possible have multiple copies. It will come handy when something like this happens.