CrossOver Support - Community Forums

Important Information These are community forums and not official technical support. If you need official support: Contact Us

CrossOver Linux
Discussion about CrossOver Linux

The following comments are owned by whoever posted them. We are not responsible for them in any way.

Back to Threads Reply to Thread

"Locky" and other crypto-ransomware nastiness -- are my computers at risk?

I've searched these forums using keywords but found nothing, so I've posted here hoping
its the right place for help.

I am running Crossover 15.0.0 with SuSE Linux 13.2 and Microsoft Office 2007.

I have been reading about crypto-locker ransomware attacks and computer files being
encrypted and then held for ransom.

One article stated that: "Locky ransomware begins its attacks from an infected Windows
machine but can spread to other platforms like Linux and OS X via network connections."

That mention of infections spreading to Linux has me worried as I get a fair number of MS Word
and MS Excel documents sent to me as e-mail attachments by clients. I open them using the
Crossover software.

Are my computers (laptop and desktop) at risk from any of these "crypto" ransomware attacks
if I open a Microsoft document sent to me by a client as an e-mail attachment? To the best
of my knowledge I don't have an anti-virus program installed on my Linux machines. I only have
Bogofilter installed to filter out spam.

What should I worry about? What should I be doing? Or am I OK and worrying needlessly?

Many thanks. :o)
Gil

What an excellent nerdy question!

If we're talking about locky specifically, it "spreads" by encrypting files on a shared drive. For instance, if you share your home by way of samba, and some Windows machine you share it with is infected, your home will probably get encrypted by that stupid Windows machine. The software itself isn't multi-platform and doesn't replicate itself onto your Linux box. Further, if again we're talking about windows malware, the possibility of it running by way of Wine/Crossover is low, but not impossible. Last time something like this came up, some have said they did encounter malware that worked via Crossover, although I haven't. That being said, you should consider this a possibility, although in the case of Locky, I doubt it would run.

The first thing you should have are backups to drives that aren't normally mounted. Backups are necessary anyway, as drives fail even without the help of malware. Antivirus might not catch the problem in time, and aren't a surefire way to keep your files from being damaged. Well made backups on the other hand, stand the test of time.

The other thing I can think of, if you're worried, is to make sure your entire home folder isn't accessible. In the Crossover Control Panel for the concerned bottle, fire up winecfg, and remove / modify any reference to home directly. Make a folder called client_files or something and point at least one drive to that. That way, if some malware actually runs, it won't be aware of your home folder, it will just encrypt what it knows about.

Although a Linux machine isn't 100% safe, in particular if it has shares with Windows machines, it isn't a very substantial risk. So you're right to be worried at least a little, I just wouldn't panic.

J-P thanks for your reply. I've inserted some comments/questions into it.
Gil

J-P Simard wrote:

What an excellent nerdy question!

If we're talking about locky specifically, it "spreads" by
encrypting files on a shared drive. For instance, if you share your
home by way of samba, and some Windows machine you share it with is
infected, your home will probably get encrypted by that stupid
Windows machine. The software itself isn't multi-platform and
doesn't replicate itself onto your Linux box. Further, if again
we're talking about windows malware, the possibility of it running
by way of Wine/Crossover is low, but not impossible. Last time
something like this came up, some have said they did encounter
malware that worked via Crossover, although I haven't. That being
said, you should consider this a possibility, although in the case
of Locky, I doubt it would run.

All of my computers are stand-alone as are my wife's. We all pull from the same internet router but the computers cannot "talk" to each other through any sort of home network setup. My laptop is a dual boot SuSE13.2/Windows7 but I only boot to Windows when I need to update a device that is not Linux-supported (for example, my Garmin GPS unit). I never boot to the Windows partition for e-mail. I do periodically run an anti-virus program on the Windows7 partition.

Any data files on the laptop were copied there from the desktop, so there is nothing on the laptop that results in a disaster if lost. I only load onto it what I need each time I travel.

J-P Simard wrote:

The first thing you should have are backups to drives that aren't
normally mounted. Backups are necessary anyway, as drives fail even
without the help of malware. Antivirus might not catch the problem
in time, and aren't a surefire way to keep your files from being
damaged. Well made backups on the other hand, stand the test of
time..

I do backups from the desktop to an external drive that is connected only during the backup process.

J-P Simard wrote:

The other thing I can think of, if you're worried, is to make sure
your entire home folder isn't accessible. In the Crossover Control
Panel for the concerned bottle, fire up winecfg, and remove / modify
any reference to home directly. Make a folder called client_files or
something and point at least one drive to that. That way, if some
malware actually runs, it won't be aware of your home folder, it
will just encrypt what it knows about.

Oh, now it's gone over my head. I am not a sophisticated Linux or Crossover user. So what you've suggested -- I don't know how to follow the instructions. I only have one bottle -- "Microsoft_Office_2007." Where and how do I fire up winecfg? Where/how do I remove/modify any reference to home directly? (Maybe that would be obvious if I knew how get winecfg running?) :o) Where do I make the folder you suggest and how do I point a drive to it? (Sorry, these are probably really basic, (insulting?) questions, but I don't know how to do what you've so kindly suggested.)

J-P Simard wrote:

Although a Linux machine isn't 100% safe, in particular if it has
shares with Windows machines, it isn't a very substantial risk. So
you're right to be worried at least a little, I just wouldn't panic.

Thanks. I won't panic, but yeah, I'm concerned that I'll do something innocently that will drop me into ransomware hell.
Gil

Chief, If running SuSE Linux with Crossover with Microsoft office, you protected. The ransomware that effecting window OS machine will not affect your Linux machine. It does not work that way. Most Ransomware is a window executable. So don't worry. I have been using OpenSuse and now Ubuntu, never have to worry about virus or malware. So your machine is safe. !

The only Linux ransomware that targeted webmaster specifically the folders associated with serving web pages, called Linux.Encoder.1 .But you need root/ administrator privileges to run it. By default nowadays Linux machine has to call root or sudo to run an administrator privilege to execute a program or executable. So it will not run by itself eve thought you click it, cause it permission denied cause you need root access. It makes you wonder why the executable need root access :)

But still for whatever reason, hardware failure, os failure, you should do a backup. Spend 9.99 USD per month to get google drive for 1 Tera and use Insync to sync whatever directory or files immediately for any changes in you home folder for e.g. https://www.insynchq.com its free for one google acct.

I don't agree with J-P Simard except for backing up.

Furthermore, window users need to understand , that AntiVirus is dead!

Note:. If you using Ubuntu, I can direct you how to update your Garmin GPs or other things that you need an update.

Have a good day ahead Gil.

No problem for the questions:

So if you run Crossover itself, you can select your bottle, and you should see a "control panel" section. Within those icons you should spot a "wine configuration" icon. Mind you I'm using Crossover in French, so find similar names, not necessarily the exact names. In Winecfg (or Wine configuration), go to the "drives" tab which should look like this:

image

You should see a "drive" that refers to your "home" which should look like /home/your_user_name. What I suggest is to make a folder in your home, and point that same "drive" to that folder. The path will therefore become something like /home/your_user_name/client_files. That way, any malware should only be aware of that "client_files" folder which it thinks is a local drive with the letter D: or F: or whatever other letter. If something get encrypted, it shouldn't go any further than that folder. To do the change, select the drive, and just change the path in the "path" line or browser to the folder. I'm hoping the tool itself will make things a little clearer.

I'm not saying this is a guarantied prevention of problems, but that is where I would start. I'm sure I could ponder this a while longer and find some convoluted ways to isolate everything, but you would loose a lot on usability. I have a few ideas right now, but I didn't test any of them, and they might not work.

I would leave with this:

1) I receive files from client regularly too, and when I was still using MSOffice, I never came across a single problem. It could still happen, but the odds aren't high in my book.

2) A little paranoia goes a long way in computer usage because they actually are out to get you. A careful, aware user is a user with a higher chance of running a clean computer, no matter the OS. If a client gives the impression of being computer illiterate, be doubly careful.

Hey Mustapa,

You might no agree, but some people did have problems with malware under Crossover, so this isn't about opinion, it has happened. It is extremely rare and improbable, but certainly not impossible. And get your head out of the sand, your computer is made to run code, just because Linux hasn't been targeted with anything serious yet doesn't mean it won't happen. I will agreed that hitting Linux is a hell of a job, as it is a moving target with many variations, but that only makes Linux a not very tempting target, not an impossible one.

Further, Locky does encrypt drives that are share with infected Windows machines, that is also fact. It's not about opinion, that just the way the malware works. It won't happen as Gil doesn't have any shares opened by Windows machine.

Peddling Linux hype isn't the way to go, it's irresponsible. Linux isn't inviolable, and anyone worth their salt should admit to that. Just look at the Mac camp, so proud and so sure their system was also inviolable. They ain't so proud these days, as they have been hit by malware a few times. We Linux users shouldn't display the same hubris.

I do agree about antivirus, which on some occasion have cause vulnerabilities where none would have existed otherwise. I don't believe in them at all. They will always be extra code, with it's own set of bugs, and they will always be one step behind.

J-P, thanks again for this reply. Additional comments inserted into your reply.
Gil

J-P Simard wrote:

No problem for the questions:

So if you run Crossover itself, you can select your bottle, and you
should see a "control panel" section. Within those icons you should
spot a "wine configuration" icon. Mind you I'm using Crossover in
French, so find similar names, not necessarily the exact names. In
Winecfg (or Wine configuration), go to the "drives" tab which should
look like this:

image

You should see a "drive" that refers to your "home" which should
look like /home/your_user_name. What I suggest is to make a folder in your
home, and point that same "drive" to that folder. The path will
therefore become something like /home/your_user_name/client_files. That way, any
malware should only be aware of that "client_files" folder which it
thinks is a local drive with the letter D: or F: or whatever other
letter. If something get encrypted, it shouldn't go any further than
that folder. To do the change, select the drive, and just change the
path in the "path" line or browser to the folder. I'm hoping the
tool itself will make things a little clearer.

I created a folder in my home directory ------>>>> /home/my name/Client_Files

I then looked in the Wine Configuration, Drives tab and I see five drives listed. C: I: L: Y: and Z:

For Y: the Target folder is /home/my name

So are you suggesting that I edit the Y: Target folder to show /home/my name/Client_Files? If yes, how do I edit this? Maybe I'm overlooking something very obvious, but I don't see way to edit the Target folder.

And even if I can edit it, I'm not understanding how doing so will help if a Windows-based encryption gets into my computer. Maybe I'm not understanding how Crossover works, but with Y: presently showing /home/my name is everything going to the Y: drive? And if everything is going there now and we add /Client_Files will everything then go to the Client_Files folder? I'm just not understanding how adding /Client_Folders will direct malware there but nothing else.

Sorry for my lack of sophistication in these matters. I'm really not computer illiterate, but I am Windows/Crossover "slow." :o)

J-P Simard wrote:

I'm not saying this is a guarantied prevention of problems, but that
is where I would start. I'm sure I could ponder this a while longer
and find some convoluted ways to isolate everything, but you would
loose a lot on usability. I have a few ideas right now, but I didn't
test any of them, and they might not work.

I would leave with this:

1) I receive files from client regularly too, and when I was still
using MSOffice, I never came across a single problem. It could still
happen, but the odds aren't high in my book.

2) A little paranoia goes a long way in computer usage because they
actually are out to get you. A careful, aware user is a user with a
higher chance of running a clean computer, no matter the OS. If a
client gives the impression of being computer illiterate, be doubly
careful.

Like I said, you should select the drive by clicking on it, and you edit things in the fields under the main window. I don't really know how I could say it in a simpler fashion.

As for the other bit, you have to understand that the path of the simulated "drive" isn't available to the windows software being run. So if Y: poinst to /home/your_name, the software is not aware that the actual folder is /home/your_name, as the information available to it is that it writes to directly to the Y: drive. It is entirely clueless as to where it is really writing, and has absolutely no idea there's a / or /bin or a /usr folder somewhere on the system.

Likewise, if you modify the same Y: drive and point it to /home/my name/Client_Files, your home become entirely "invisible" and the Y: is now the Client_Files folder. The windows software is now informed to still write to what it thinks of as the Y: drive. It doesn't know the Y: drive is really a folder in your home, nor does it know the path to that folder. The drive letter implies a exactly that, to windows software, it will be seen a partition. The path you see in winecfg is for your information and use, not for the windows software.

In other words you are choosing what folder appears as a partition on a drive. If that fake partition is your entire home, that is at risk. If that fake partition is a folder in your home, that will be the limit of what is at risk. If you are going to really understand, you have to be savvy about how drives work under windows, and then understand that Wine/Crossover lies to the software being run and tells it that certain folders are really physical drives with partitions on them.

I cant make this any simpler myself, I don't think of myself as the best teacher either. If you still don't understand, I really think this is the stuff you should read up for yourself at your own pace.

Oh, sometimes we can make the simplest things so difficult for ourselves. Duh, duh, duh.

J-P Simard wrote:

Like I said, you should select the drive by clicking on it, and you
edit things in the fields under the main window. I don't really know
how I could say it in a simpler fashion.

J-P, no wonder I was getting nowhere while thinking I was correctly following your instructions. Unfortunately I didn't recognize that I was clicking on the "Target folder," not on the drive letter itself. When just now I clicked on Y: then like magic (duh) I could edit and add /Client_Files to the Target folder line Sometimes trying to follow the simplest instructions makes one feel so foolish.

J-P Simard wrote:

As for the other bit, you have to understand that the path of the
simulated "drive" isn't available to the windows software being run.
So if Y: poinst to /home/your_name, the software is not aware
that the actual folder is /home/your_name, as the information
available to it is that[b] it writes to directly to the Y:
drive[/b]. It is entirely clueless as to where it is really writing,
and has absolutely no idea there's a / or /bin or a /usr folder
somewhere on the system.

Likewise, if you modify the same Y: drive and point it to /home/my
name/Client_Files, your home become entirely "invisible" and [b]the
Y: is now the Client_Files folder[/b]. The windows software is now
informed to still write to what it thinks of as the Y: drive. [b]It
doesn't know the Y: drive is really a folder in your home[/b], nor
does it know the path to that folder. The drive letter implies a
exactly that, to windows software, it will be seen a partition. The
path you see in winecfg is for your information and use,
not for the windows software.

In other words you are choosing what folder appears as a partition
on a drive. If that fake partition is your entire home, that is at
risk. If that fake partition is a folder in your home, that will be
the limit of what is at risk. If you are going to really understand,
you have to be savvy about how drives work under windows, and then
understand that [u]Wine/Crossover lies to the software being run and
tells it that certain folders are really physical drives[/u] with
partitions on them.

Thanks.

But if a ransomware or similar encryption program does get into my computer will it then write to the Client_Files folder and display on screen the demand for money? And if so to get rid of the encryption infection do I just delete that Client_Files folder? Is it that simple?

J-P Simard wrote:

I cant make this any simpler myself, I don't think of myself as the
best teacher either. If you still don't understand, I really think
this is the stuff you should read up for yourself at your own pace.

**

gil weber wrote:

But if a ransomware or similar encryption program does get into my
computer will it then write to the Client_Files folder and display
on screen the demand for money? And if so to get rid of the
encryption infection do I just delete that Client_Files folder? Is
it that simple?

That's the plan. And since those would be client files, you could just ask your clients a new copy. Of course, it's not impossible that some malware may someday be written to be aware it is running inside Wine/Crossover and circumvent this. That would be a fringe case, so specific, that I doubt the chances of that happening are very, very low.

Mustapa is right to some degree, running on Linux is a great start to a safe system, and currently, I know of no malware really targeting directly the Linux desktop. The absence of a serious malware threat has been the case since I started using Linux well over a decade ago. So all of this discussion is you wanting to be particularly cautious, which is of course commendable. But, like I said, don't panic! 😀

J-P Simard wrote:

gil weber wrote:

But if a ransomware or similar encryption program does
get into my computer will it then write to the Client_Files folder
and display on screen the demand for money? And if so to get rid
of
the encryption infection do I just delete that Client_Files
folder?
Is it that simple?

That's the plan. And since those would be client files, you could
just ask your clients a new copy. Of course, it's not impossible
that some malware may someday be written to be aware it is running
inside Wine/Crossover and circumvent this. That would be a fringe
case, so specific, that I doubt the chances of that happening are
very, very low.

Mustapa is right to some degree, running on Linux is a great start
to a safe system, and currently, I know of no malware really
targeting directly the Linux desktop. The absence of a serious
malware threat has been the case since I started using Linux well
over a decade ago. So all of this discussion is you wanting to be
particularly cautious, which is of course commendable. But, like I
said, don't panic! 😀

Thanks again. My wife and I got off Windows many years ago. Despite doing almost daily updates of my antivirus software I was nevertheless slammed by a Windows infection that crippled my hard drive. We started with Linux and have been very happy that to this point we've not suffered under the threat level of Windows users. But given that I do use Crossover I was seeking reassurance that I wasn't overlooking something very basic to protect my files. I very much appreciate all the feedback from you and Mustapa. I will not panic. 😊

1 to 11 of 11

Please Note: This Forum is for non-application specific questions relating to installation/configuration of CrossOver. All application-specific posts to this Forum will be moved to their appropriate Compatibility Center Forum.

CrossOver Forums: the place to discuss running Windows applications on Mac and Linux

CodeWeavers or its third-party tools process personal data (e.g. browsing data or IP addresses) and use cookies or other identifiers, which are necessary for its functioning and required to achieve the purposes illustrated in our Privacy Policy. You accept the use of cookies or other identifiers by clicking the Acknowledge button.
Please Wait...
eyJjb3VudHJ5IjoiVVMiLCJsYW5nIjoiZW4iLCJjYXJ0IjowLCJ0enMiOi01LCJjZG4iOiJodHRwczpcL1wvbWVkaWEuY29kZXdlYXZlcnMuY29tXC9wdWJcL2Nyb3Nzb3Zlclwvd2Vic2l0ZSIsImNkbnRzIjoxNzE4MDM3Nzg4LCJjc3JmX3Rva2VuIjoiaDVBTHdTTGY5WE50Z1hidSIsImdkcHIiOjB9