Do Linux systems need antivirus against ransomware?
There are actually multiple parts of the question:
- Is Linux affected by malware and especially ransomware?
- Do antivirus products exist for Linux?
- Do these products help against this threat?
To answer the first:
Yes, there is malware for Linux and there is also ransomware. Currently it is usually propagated in a different way compared to Windows: Malware on Windows is mostly distributed by phishing mail and web and makes use of platform specific vulnerabilities and features, i.e. currently mainly windows scripting host, macros in office documents and vulnerabilities in Office. On Linux systems instead it is usually installed by attacking the server, often by using security issues in Wordpress and other CMS. But this is mainly because server use of Linux is large while desktop use is still rare. The capabilities and vulnerabilities needed to spread ransomware in a similar way to Windows do often exist on Linux too although some differences (like the need to explicitly set the permissions of executable files) make some exploits harder.
As for the second, i.e. are the antivirus products for Linux:
There are both free products like ClamAV and commercial products available.
And finally, do these antivirus help against malware/ransomware targeting Linux?
They mostly don't. These antivirus products care mainly about protecting against attacks targeting Windows and are usually used to scan files or mails which might be served to Windows systems. Thus they are for example useful on a mail server or file server and also on a web server to make sure that the server is not used to spread malware. But they don't even protect fully against attacks targeting Windows. They might have some code in it to detect some well known (and sometimes only proof of concept) malware against Linux but they will not protect against new things. There are also products which scan for traces of existing system compromise and sometimes these are called antivirus but often not.
The best way to protect from data manipulation is backups onto a machine that provides append-only storage.
The simplest case of this are logfile servers -- there is a single serial link that you can send data over, which gets timestamped and stored; the system does not otherwise interpret the data, and there is no command interface on the serial link.
For full backups, I'd dedicate one machine that connects to the others, actively fetches the current state and directly archives it, possibly deduplicating with earlier versions. Clients have no way of contacting this system in any way, all the TCP ports are closed from the outside.
This system then has an excellent vantage point to not only provide earlier versions, but it can also be used to detect manipulations -- malware authors have a choice of either hiding the malware from this system (so you have a clean backup), or including it (which allows an antivirus system running on the backup server to spot it).
Linux is secure but it is not perfect.
The Linux malware exists and there is an example : WordPress-Delivered Ransomware and Hacked Linux Distributions witch describe how can a linux machine will be infected with a ransomware by exploiting a program vulnerability.
How it work?
A WordPress site is hacked through any method available. That may be a brute force password guessing attack or by exploiting a vulnerability in a plugin, theme or core.
The attacker installs code on the WordPress site that redirects visitors to other infected websites that are running the Nuclear Exploit Kit. The redirects may happen through a series of websites to try and prevent web browsers and Google from warning you that a site is infected. The sites involved in the redirect change frequently.
When a visitor to the infected site is redirected, the nuclear exploit kit searches for vulnerabilities in the site visitor’s Flash Plugin, Microsoft Silverlight, Adobe Reader or Internet Explorer.
If Nuclear finds a vulnerability, it exploits the visitor machine and installs the TeslaCrypt Ransomware.
The ransomware then encrypts all files on the workstation and extorts the owner into paying to get their system decrypted.
A second example:The Linux.Encoder.1 descovred by Dr.Web
Why you don't need an antivirus program under linux?
because you installed your programs from a trusted repositories and your system is frequently updated to patch the programs flaws
with the open sources softwares, the sources codes is available for everyone and can be tested, patched by experts and developers.
Why you need an antivirus?
The antivirus can be useful:
To scan email for viruses.
If you have
wine
installed on your system to run your favorites windows software.If you have a windows machine on your network.
To scan a windows hard drive.
To scan some file before send it to windows machines.
The easy way to defeat ransomware on any operating system is having a regularly updated backup.