Anti-virus company Trend Micro has defended the publication of information on ransomware threats without providing any indication of how systems that it claims are vulnerable can be infected.
iTWire sought clarification from the company about a post that claimed ransomware known as Erebus was infecting Linux systems. There was no indication given by the company as to the attack vector.
The post was driven by a report that claimed a South Korean company known as Nayana had found that 153 of its Linux servers were found to have been infected by Erebus. The report then went on to list many traits of the Windows version of Erebus, which did not help to clarify things in any way as to the attack vector.
Trend Micro senior architect Jon Oliver said, in response to queries, that the company had a responsibility to its customers to report what was happening in the threat landscape "in a timely manner and where we have evidence that the threat is real".
{loadposition sam08}He did not say why the company did not inform its customers directly, rather than through a public blog post which could cause a scare as it did not specify the infection vector.
Attacks on Linux servers often occur through third-party software like one of the many PHP-based content management systems. Thus, to say something "attacks Linux" would not be strictly correct.
Oliver said the blog post about the Erebus ransomware was based on two news reports, one on a website called Aju Daily (referred to earlier), and the second on IDG's NetworkWorld.
Oliver also cited as sources of information a tweet and a Reddit entry. He said samples of ransomware were collected from Virus Total.
The NetworkWorld report also went into great detail about the Windows version of Erebus, after making the same claim that a Linux version had attacked the Nayana servers. The source for the latter information was the same Aju Daily report.
Another source cited by NetworkWorld, for the details about the Windows version of Erebus, was the website Bleeping Computer. It is pertinent to note here that the author of the article in question, Lawrence Abrams, does not exactly have a stellar record on writing about what he claims to be Linux ransomware.
Oliver said: "As it’s unknown how soon Nayana and the Korea Internet and Security Agency may reveal this information or whether Nayana will, in fact, reveal how it was infected, we believe that it would be irresponsible for us to wait until details of how the infection occurred at Nayana before we described the threats."
The Trend Micro blog post also includes marketing information at the end, pushing products it claims can stop ransomware.
This is not the first time that Trend Micro has figured in these columns over information that is questionable. In April, the company sent over its theories as to why Pawn Storm (a name for a group claimed to have Russian links) was involved in hacking the Democratic National Committee. The findings, while initially tentative, seemed to morph into certainty without any rational basis.
But when asked about the role of CrowdStrike, which was handling security for the Democrats and cleaned up the alleged hacked server on its own instead of calling in the FBI, the people at Trend Micro went silent.
Given the intense competition in the security space, companies are falling over themselves to grab any little dose of publicity they can. However, there is an expectation that technical folk, especially those selling products related to security, should wait for proper evidence, and not jump into print based on reports that appear to be rather thin on information and muddled to say the least.