Linux malware is skyrocketing and is now outperforming both macOS and Android, according to a new report, suggesting the open-source operating system is increasingly being targeted by cybercriminals.
The Atlas VPN report states that the number of new Linux malware samples collected increased by 646% from the first half of 2021 to the first half of 2022, from 226,334 samples to almost 1.7 million.
While growth has stabilized since hitting a record in the fourth quarter of 2021, the first six months of 2022 already saw more new Linux malware emerge than all of 2021.
Linux malware growth has occurred, although Windows, Android, and macOS have all seen a decline in new malware samples. Windows is still the leader due to its overwhelming market share with 41.4 million malware samples in the first half of 2022.
Citing Statcounter Global Stats, Atlas VPN said Android has a 44% share of the overall operating system market, while Windows and OS X have 29% and 6%, respectively.
Linux has only 1% of the OS market, but Atlas VPN noted, “While Linux isn’t as popular with computer users as other operating systems, it powers the back-end systems of many networks, making Linux attacks very lucrative. As Linux gains acceptance, so will attacks on it.”
Linux powers many cloud-based architectures, and most IoT devices run very minimal Linux distributions consisting of a Linux kernel and some core functionality, making them attractive for botnets and other similar campaigns.
Given the value of business goals, hackers are also developing more sophisticated Linux malware (see New Highly Evasive Linux Malware Infects All Running Processes).
The Atlas VPN team used AV-ATLAS, a threat intelligence platform from AV-TEST GmbH, for its report.
Check out the best open source security tools
How to protect yourself from Linux malware
Some Linux malware, like Symbiote or more recently OrBit, are particularly evasive and therefore quite difficult to detect and remove. Hackers have mastered Linux internals and the current trend is stealth.
More than ever, monitoring all endpoints, including Linux-based systems, is crucial. Users and admins also need to update their devices, or at least apply all security patches, although it’s getting harder to keep up.
Attackers can use Linux malware to collect credentials or exfiltrate information. Businesses should not neglect such post-exploitation tactics as nowadays ransomware groups not only encrypt victim’s files but also use exfiltrated data as a means of extortion.
From this perspective, additional layers of protection such as encrypting data during use could help prevent such events.
Read More: Exfiltration Can Be Stopped With Data-In-Use Encryption, Company Says