Linux malware is skyrocketing and now overtakes both macOS and Android, suggesting cybercriminals are increasingly targeting the open-source operating system, according to a new report.
The Atlas VPN report says the number of new Linux malware samples collected jumped 646% between the first half of 2021 and the first half of 2022, from 226,334 samples to nearly 1.7 million.
While growth has stabilized since hitting a record in the fourth quarter of 2021, the first six months of 2022 have already seen more new Linux malware than all of 2021.
The growth in Linux malware has occurred even as Windows, Android, and macOS have all seen declines in new malware samples. Windows still tops the overall rankings due to its dominant market share, accounting for 41.4 million malware samples in the first half of 2022.
Citing Statcounter Global Stats, Atlas VPN said Android held 44% of the overall operating system market, while Windows and OS X held 29% and 6% respectively.
Linux only represents 1% of the operating system market, but Atlas VPN noted that “although Linux is not as popular among computer users as other operating systems, it runs the back-end systems of many networks, which makes attacks against Linux very lucrative. As adoption of Linux increases, attacks against it will also increase.
Linux powers many cloud-based architectures, and most IoT devices run very minimalist Linux distributions consisting of a Linux kernel and a few core functions, making them attractive for botnets and similar campaigns.
Given the value of enterprise targets, hackers are also developing more sophisticated Linux malware (see Highly Evasive New Linux Malware Infects All Running Processes).
The Atlas VPN team used AV-ATLAS, a threat intelligence platform from AV-TEST Gmb, for their report.
See the Best Open Source Security Tools
How to Protect Against Linux Malware
Some Linux malware, such as Symbiote or more recently OrBit, are particularly evasive and therefore quite difficult to detect and remove. Hackers have mastered the internals of Linux and the current trend is towards stealth.
More than ever, monitoring all endpoints, including Linux-based systems, is essential. Users and admins should also update their devices or at least apply all security patches, even if it gets harder to keep up.
Attackers can use Linux malware to harvest credentials or exfiltrate information. Companies should not neglect these post-exploit tactics, as ransomware groups not only encrypt victim’s files these days, but also use the exfiltrated data as a means of extortion.
In this perspective, additional layers of protection such as encryption of data in use could help prevent such occurrences.
Read next: Exfiltration can be stopped with in-use data encryption, company says