The Erebus Linux variant is a server-side ransomware that targets hosted web servers. This variant has a hardcoded configuration visible in the binary strings that targets files that reside in the /var/www directory, specifically looking for MySQL ibdata files.
- Server gets malware implanted through unknown vector.
- Malware calls out to CNC server.
- CNC responds and data is exchanged.
- Malware executes file encryption.
The malware must become resident on the victim system through another vector.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upon discovery of this malware, customers are advised to perform the following actions:
- Check for files with unusual or malware specific extensions.
- Restore the host from a backup or reinstall a fresh OS and application.
- Ensure any exploitation vectors are removed from the host.