Linux Malware Stats Facts

Want to know more about Linux exploits? This guide compiles the latest Linux malware statistics and facts so that you can better understand the threat landscape and protect your Linux machine with added security.

Linux is well known for being more private and secure than popular operating systems like Windows and Apple Mac. Unfortunately, this can lead to a false sense of security. Cybercriminals are starting to concentrate their efforts on Linux users. This is causing an increase in exploits for Linux-based operating systems like Ubuntu, Fedora, and CentOS.

Keep scrolling to learn the latest Linux malware trends and statistics.

1. Linux endpoints were the most targeted in 2023

According to the Elastic Security 2023 Global Threat Report, Linux is now the most attacked endpoint, beating out Windows for the first time. The security company found that 54% of all malware infections were on Linux endpoints, with 39% on Windows and 6% on Mac. This frightening statistic reveals a massive surge in focus on Linux-based attacks aimed at the ever-growing landscape of cloud devices that use Linux as their operating system.

2. Linux ranked above Mac for malware threats in 2022

When comparing the main Operating Systems used by desktop computers, Apple Insider reports that Windows and Linux experienced the brunt of malware infections in 2022. The website reports that Windows suffered 54% of attacks, while Linux suffered 39.4% of infections. Mac, by contrast, suffered just 6.2% of malware infections.

3. 1.7 million new Linux malware variants discovered in 2022

According to research by the IT services company PhoenixNAP, Linux malware exploded by 659% yearly between 2021 and 2022. The company reported that 1.7 million new Linux exploits had been discovered in 2022, putting Linux users at an ever-increasing risk of malware infections.

4. Unrestricted use of sudo can enable Linux attacks

PhoenixNap has advised Linux users about the risks associated with excessive use of the sudo command, which can lead to privilege escalations and potentially allow hackers to gain control of Linux systems.

By minimizing sudo permissions, the attack surface is reduced, helping to prevent attackers from executing certain commands and making it more challenging for hackers to inflict damage. Limiting sudo is crucial for Linux users seeking to enhance system security and mitigate risks associated with unauthorized access.

5. The first Linux malware appeared in 1996

Despite Linux’s reputation for being more secure and reliable than Windows and Mac, there is a long history of exploits for Linux-based operating systems. The first ever virus for Linux, Staog, was detected way back in 1996.

This serves as a helpful reminder that although Linux malware infection rates have exploded in the last few years, malware for Linux is not new.

6. Many dangerous malware variants are common on Linux

According to Linux Insider, some of the most common malware variants affecting Linux include: Cloud Snooper, EvilGnome, HiddenWasp, QNAPCrypt, GonnaCry, FBOT, and Tycoon. These are sophisticated malware exploits capable of causing serious damage, including data theft, account takeover, and complete remote control of the infected Linux machine.

7. 90% of public cloud workloads run on Linux

As more companies move to Linux-based servers and networks, hackers realize that although they have smaller numbers, Linux targets may offer more lucrative rewards. The latest research from Trend Micro suggests that 90% of public cloud workloads run on Linux, giving hackers ample reasons to develop Linux malware. The desire and potential to extract more meaningful financial rewards is the primary motivation for developing Linux-based exploits.

8. 2023 saw a 62% increase in Linux ransomware attacks

The Trend Micro Linux Threat Landscape Report states that ransomware attacks aimed at Linux increased by 62% between 2022 and 2023. The security company found that, among others, KillDisk Ransomware actively targeted financial institutions, primarily finding success through phishing attacks and outdated Linux operating systems and kernels.

9. Webshell malware accounts for nearly 50% of Linux malware

According to Trend Micro, Webshell exploits were the most common malware for Linux, accounting for 49.6% of exploits. Trojans were in second place, accounting for 29.4 of the malware discovered. Backdoors and Cryptocurrency miners also featured in the list but accounted for much smaller percentages of attacks.

10. WordPress was the most frequently targeted application in Linux attack vectors

Researchers at Trend Micro identified that applications often provide the easiest initial attack vectors for targeting Linux systems. WordPress was the most frequently exploited due to its widespread use and vulnerabilities. Other commonly targeted applications included Joomla, Apache, cPanel, IBM WebSphere, Zoho ManageEngine, and Magento.

11. Linux malware targets 30 different WordPress plugins

In 2022, research conducted by PurpleSec revealed that 30 WordPress plugins were identified as creating vulnerabilities exploitable for infecting Linux systems with malware. PurpleSec has urged Linux users to update these plugins promptly. The prevalence of WordPress-based attack vectors serves as a reminder that a larger footprint often presents greater opportunities for security breaches.

12. 97% of Linux attacks are web-based

According to Trend Micro’s 2022 threat report, 97% of attacks on Linux systems are web-based. Cybercriminals predominantly focus on exploiting web vulnerabilities such as SQL injection, cross-site scripting (XSS), and server-side request forgeries (SSRF) to compromise web resources.

Only 3% of attacks use non-web-based application protocols like FTP (File Transfer Protocol), DNS (Domain Name System), SSH (Secure Shell Protocol), SMB (Server Message Block), or SMTP (Simple Mail Transfer Protocol).

97% of Linux attacks are web-based

13. Injections are the most commonly exploited attack vector

According to Trend Micro’s report, injections are the most commonly exploited vulnerability in web-based attacks. This category includes SQL injection, command injection, and injections involving Object Relational Mapping (ORM), LDAP, Expression Language (EL), and Object Graph Navigation Library (OGNL), as well as cross-site scripting (XSS). Of these, XSS was found to pose the highest risk.

14. Connections with scam and phishing URLs were most common

According to Trend Micro, infected Linux systems often communicate with URLs used for scams and phishing. Of the malicious outgoing connections, 39.3% were to scam websites, 17.1% were for phishing, and 15.4% connected with “malware accomplices”.

The image below shows the remaining categories:

Threat categories

15. Look-alike domains were used to target Linux

Trend Micro’s report reveals that cloned websites were successfully used to target Linux systems widely. This attack is often part of phishing or scam operations aimed at stealing credentials or delivering malware. Examples of domains that were cloned and leveraged to carry out attacks include:

  • googe[.]com
  • yotube[.]com
  • ww17[.]yuotube[.]com
  • zippo-amazon[.]com[:]80

16. Malicious files and library bundles with Docker pose a threat

Trend Micro has observed that the widespread use of container technologies to deploy applications has increased the attack surface exploitable by cybercriminals. The company noted that hackers often cunningly conceal unnecessary components such as compilers, debugging tools, documentation files, and libraries within Docker images, creating potential means to initiate attacks on Linux systems. Trend Micro reminds Linux users that outdated images also contain many vulnerabilities and that, unfortunately, many images on DockerHub are outdated.

17. Ransomware families for Linux exploded from 2021 onwards

Research by Check Point highlights that the prevalence of attacks on Linux, particularly ransomware attacks, has exploded in the last 3 years. Check Point’s study reveals that ransomware for Linux only appeared in 2015, by which time it was already highly developed for Windows.

Ransomware attacks on Linux

18. Linux-based malware has an extremely wide target base

One of the main reasons for the explosion of Linux-based malware attacks is the prevalence of IoT devices that use Linux-based operating systems running on hardware with limited resources. Many of these cheap devices have badly executed or lapse security, making them an attractive target. The huge explosion of poorly secured devices attached to the internet has caught the attention of malware developers, resulting in the snowball effect currently underway.