Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya). It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organisations’ network (again, much like WannaCry or Petya/NotPetya).
Xbash spreads by attacking weak passwords and unpatched vulnerabilities.
Xbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities. Unit 42 researchers can also find no functionality within Xbash that would enable restoration after the ransom is paid. This means that, similar to NotPetya, Xbash is data destructive malware posing as ransomware.
Organisations can protect themselves against Xbash by:
- using strong, non-default passwords
- keeping up-to-date on security updates
- implementing endpoint security on Microsoft Windows and Linux systems
- preventing access to unknown hosts on the internet (to prevent access to command and control servers)
- implementing and maintaining rigorous and effective backup and restoration processes and procedures.
To find out more about Xbash, please click here.
