ZeroLock: How to Defend Against Ransomware on Linux

Written by Linux security expert and LinuxSecurity.com Founder Dave Wreski.

Attacks targeting Linux have surged in recent years due to the mass migration of workloads to the cloud and the increase in IoT and other connected devices on the network. Traditional endpoint security solutions for Linux, which typically rely on the same algorithms and techniques developed to secure Windows desktops and don’t address the attack patterns unique to Linux, are no longer sufficient to secure modern Linux workloads against today’s dynamic and evasive threats.

Luckily, solutions that address Linux-specific challenges to fortify today’s Linux workloads against the most sophisticated and damaging threats do exist. An automated and efficient platform I’ve been using to detect and remediate threats to my Linux environment—and must admit I am quite impressed with!—is Vali Cyber’s ZeroLockTM^TM. In this article, I’ll examine the modern Linux threat landscape in a nutshell, introduce ZeroLock, and demonstrate how ZeroLock works to mitigate a ransomware attack.

The Modern Linux Threat Landscape in a Nutshell

The rise in popularity of Linux in recent years has put a target on the OS’s back. Linux malware reached an all-time high in the first half of 2022. The total number of vulnerabilities detected year-over-year shows that after Microsoft and Apple, it's Linux distros like RedHat and Debian that have the highest numbers of vulnerabilities reported. 

Traditional endpoint security solutions for Linux fail to address Linux-specific attack patterns such as SSH exploits, cryptojacking, and attacks that corrupt data such as ransomware and wiperware, all of which are constantly evolving and can’t be identified by a simple file hash. Fileless attacks are increasing against Linux systems with over 50% of attacks now being fileless, leveraging vulnerabilities like log4J and others that are undetectable by file-based methodologies. ​They attempt to protect targeted systems by using high overhead, resource-intensive, version-specific methods and complex kernel modules, leading to challenges in customer environments.

In this complex and dynamic modern Linux threat environment, intelligent, automated solutions are required to secure Linux workloads against the increasingly evasive and dangerous threats targeting them.

Experience the Power of ZeroLock’s Automated, Easy-to-Manage Protection

I’m very impressed with how ZeroLock addresses the shortcomings of traditional Linux endpoint security agents to provide rapid detection of and remediation of security threats. ZeroLock meets Linux-specific challenges with automated lockdown configuration and sophisticated access control capabilities, combined with advanced behavioral threat detection technology. With ZeroLock, administrators can quickly and easily secure all of their Linux workloads against attacks leading to compromise and detect and recover any threats that get through with minimal consumption of critical computing and human resources. 

ZeroLock taps into the heart of Linux to provide highly efficient, effective protection. The solution intervenes in process creation and injects code into every new process, allowing it to monitor and control them. This enables ZeroLock to defend against attacks that need access to network, files, or other system resources via the Linux System Call Interface to execute. ZeroLock intercepts all relevant system calls a process makes and examines and tracks them. Should a pattern of a process’s behavior be deemed suspicious, ZeroLock will intervene by either suspending or killing the process, or by caching file resources being attempted to be changed. This new method of hardening enables ZeroLock to prevent more attacks than solutions that rely on traditional Linux hardening methods, detect any attacks that get through by their behavior, and prevent or repair damage to files. 

ZeroLock’s distributed artificial intelligence and machine learning architecture is designed to support real-time detection and protection methodologies, yet also continually learn from and adapt to the ever-changing malware analysis landscape. Vali Cyber has consolidated this intelligence into a constantly learning algorithm that operates in real-time on host to protect Linux workloads against file-based and fileless malware and ransomware attacks, and the other malicious threats that target Linux today, with equally high efficacy regardless of the sophistication of the attack.

In the event that an attack does happen, ZeroLock remediates it promptly by copying all deleted or written files (encryption is considered a write operation) to a protected cache area while the actions and process(es) involved are evaluated. This approach makes it possible to automatically restore files that have been compromised, deleted, or encrypted by malicious code.The ZeroLock agent also has self-protection functionality that prevents malicious code from disabling or removing the agent from the system.

Watch ZeroLock Mitigate a Ransomware Attack!

ZeroLock uses behavioral markers to identify attacks. It understands how individual types of ransomware and cryptojacking attacks work and monitors for that behavior.

It focuses on specific threats, like RansomEXX and Log4j, and is able to discern a legitimate process writing or deleting files from an actual ransomware attack.

ZeroLock copies all deleted or written files to a special place in memory so that when an attack does occur, it’s able to recognize that attack, stop it in real-time, then restore from memory any files that may have been deleted or encrypted to return the system back to its normal trusted state.

Maximum Security, Minimum Impact

ZeroLock provides maximum Linux security with minimum impact. It is clear that Vali Cyber recognizes that organizations today do not have a single monolithic OS across their entire infrastructure, and has engineered ZeroLock with this in mind. Running entirely in user space, ZeroLock does not require any kernel modules and is compatible with all Linux systems kernel version 3.5 or greater, and across deployment environments (bare metal, VM, containers, cloud, and even embedded and IoT devices). This simplicity allows for streamlined deployment and uniformity of controls and protection. 

Administrators who deploy ZeroLock also enjoy the benefit of complete protection even on workloads segmented from the Internet or even air-gapped, and frequent updates are not required for ZeroLock’s behavior detection methods to remain secure.

Final Thoughts

As cyber threats continue to evolve at an unprecedented rate, it is critical that defensive software keeps pace to meet new challenges. As I’ve demonstrated in this article, ZeroLock provides the type of intelligent, automated and efficient protection that is necessary to fortify a modern Linux infrastructure against sophisticated threats like fileless malware and ransomware.

Interested in learning more? Visit valicyber.com. And stay tuned for upcoming articles that will dive deeper into Log4j exploit prevention, securing Wordpress sites on Linux and more!