INC Ransomware Behind Linux Threat

By

Overview

This week, the SonicWall Capture Labs Research team analyzed a sample of Linux ransomware. The group behind this ransomware, called INC Ransomware, has been active since it was first reported a year ago.

Infection Cycle

The malware is a Linux executable in ELF file format. A quick inspection of its strings revealed command-line arguments that can be passed to this ELF file.

Figure 1: List of Command Line Arguments

Upon execution with the identified parameters, the malware appends “INC” to the names of encrypted files.

Figure 2: Debug Output Using the –debug Option

Figure 3: Encrypted files with “INC” appended file extension

The malware also creates a file named “kill,” a shell script using the esxcli utility available in VMWare ESXi to list and kill all virtual machine processes if running in an ESXi environment. Since our analysis was not conducted in such an environment, this command resulted in an error as the utility was not found.

Figure 4: Content of the “kill” and delete scripts

Another file created is “delete,” which is a shell script using the ESXi command-line utility vim-cmd to delete all available virtual machines.
Copies of ransom notes were dropped in directories where files were encrypted, consistent with other ransomware behavior.

Figure 5: Contents of “Inc_readme.html” Ransom note

The parameter ‘–motd’ also changed the message of the day (MOTD) on the infected machine to display the ransom note message upon successful login.

Figure 6: Message of the Day shows ransom note message

Visiting the URL in the ransom note led to a blog site listing all supposed victims.

Figure 7: INC Ransom blog site

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: LinuxINC.RSM(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

For further details, visit the official man page for MOTD.

 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.