Power Global

 View Only

Protecting AIX and Linux from Ransomware

By Stephen Dominguez posted Thu July 01, 2021 11:48 AM


Every organization needs to protect its environment using a holistic approach to cybersecurity. As is often said, “you are only as strong as your weakest link,” so this is the best way to reduce the risk of data breaches caused not just by ransomware, but by any type of cyberattack.

A holistic approach can help you understand if your primary defenses against ransomware fail. For example, if a hacker has implemented measures to nullify your ransomware defenses, you’ll have other safeguards in place that can still defend against the ransomware. This type of multi-layered approach is called “defense in depth.” Defense in depth is indispensable when implementing cybersecurity defenses.

The Center for Internet Security (CIS) Controls is a great example of using a holistic approach to cybersecurity. The following are two excerpts from the CIS v8 Controls Guide:

The CIS Controls reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, individuals), with every role (threat responders and analysts, technologists, information technology (IT) operators and defenders, vulnerability-finders, tool makers, solution providers, users, policy-makers, auditors, etc.), and across many sectors (government, power, defense, finance, transportation, academia, consulting, security, IT, etc.), who have banded together to create, adopt, and support the CIS Controls.

 These activities ensure that the CIS Security Best Practices (which include the CIS Controls and CIS Benchmarks) are more than a checklist of “good things to do,” or “things that could help”; instead, they are a prescriptive, prioritized, highly focused set of actions that have a community support network to make them implementable, usable, scalable, and in alignment with all industry or government security requirements.

Malware Prevention

Now, let’s look at ransomware, one type of malware. In addition to implementing a holistic approach to security, organizations should use two types of security controls for specifically providing measures for preventing ransomware, as well as all types of malware on Linux and AIX®:

  1. Implement an allowlisting solution
  2. Implement a traditional anti-virus/malware solution

“Allowlisting,” the new term replacing “whitelisting,” is a cybersecurity defense that controls what executables are allowed to execute by defining a list of authorized executables. If a file is not allowlisted, it would be considered as not authorized for execution. Allowlisting isn’t just applicable to standard binary executables, but also to libraries and scripts.

In numerous security breaches, attackers commonly use malware. In some breaches, attackers have used multiple types of malware to facilitate their successful breach. Attackers can also use hacking tools to enable them to further penetrate a victim’s environment.

When allowlisting is properly implemented, all types of malware—including viruses, ransomware and hacking tools—would be either prevented from execution or immediately detected, depending on which allowlisting approach you implement. Allowlisting also protects you from malware that hasn’t been identified or registered to anti-malware vendor databases. This is an additional benefit that sets it apart from traditional anti-virus/malware solutions. 

 A traditional anti-virus/malware solution

A traditional anti-virus/malware solution utilizes a database of signatures of known malware to detect the presence of malware on a system. This database is constantly updated as new malware is identified and is used to scan your file systems to locate malware on your filesystems.

This type of countermeasure is good for ensuring that a network Samba share running on AIX/Linux isn’t exposing malware to a different operating system. Even if a ransomware executable is not being executed by the AIX/Linux kernel, nor exported via a Samba share, it might be transferred from your AIX/Linux system to other systems, and you would want to be able to detect its presence.

How to prioritize between the two controls?

According to CIS recommendations, implementing a traditional anti-virus/malware solution is an IG level 1 control. Thus, all types of organizations should implement this first. In general, IG level 1 controls are the easiest to implement. IG level 2 controls are generally more difficult to implement, and IG level 3 controls are generally the most difficult to implement.

 Organizations can then consider adopting an allowlisting solution, which is an IG level 3 control. Due to the expertise and resources typically needed to correctly implement IG level 3 controls, IG level 3 controls are not always possible to implement for all organizations. The CIS describes IG level 3 controls as the following:

Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.

 NOTE: please see the CIS v8 control guide, at https://www.cisecurity.org/, for a more complete and detailed discussion of CIS implementation groups


Allowlisting on AIX

IBM has the AIX Trusted Execution tool that serves as a solution for anti-virus/malware cyber defense. AIX Trusted Execution is part of the AIX base OS for version 6 and above, but when adopting Trusted Execution, I also recommend using the PowerSC™ Graphical User Interface (GUI), which has useful centralized management functionality that supports Trusted Execution integration.

AIX Trusted Execution provides kernel-based allowlisting, which is a very powerful countermeasure to not just ransomware, but also to all types of malware. In addition to allowlisting, AIX Trusted Execution provides a database containing digital signatures of AIX operating system files. Trusted Execution allows you to use these digital signatures to cryptographically verify that the AIX executables installed on your system are absolutely identical to the ones published by IBM and thus ensure they haven’t been altered by a hacker. 

Two approaches are available for implementing allowlisting using the AIX Trusted Execution tool. The easier option is to simply detect executables that aren’t allowlisted. An alternative approach is to prevent the execution of files that aren’t allowlisted. The latter reduces security risk to a greater degree but requires more effort to correctly implement. 

Allowlisting on Linux

See this link for a good discussion on allowlisting options for Linux systems:



Traditional anti-virus/malware solutions on AIX and Linux

The products below are traditional anti-virus/malware solutions that may be considered for use with AIX/Linux. It is not a recommended list of solutions. Ultimately, I recommend that clients work with their CISO to vet solutions and determine which is best for their particular organization and security requirements. Options include:

  1. ClamAV
  2. Tanium
  3. McAfee VirusScan Command Line Scanner
  4. Powertech Antivirus from HelpSystems

Next Steps

For organizations that want to take immediate action to protect their AIX/Linux infrastructures from ransomware, I recommend the following steps:

Step 1 – Security Assessment

Perform a security assessment that uses a holistic approach. A well-designed security assessment will typically identify numerous IG level 1 or IG level 2 security controls that can be quickly deployed to your environment, which will serve as a defense in depth measuring toward reducing the risk of a ransomware attack.

IBM Lab Services provides professional services for this step. Our CIS-based assessment services are designed to assess every security control directly related to AIX/Linux Security. For AIX, a VIOS Security Assessment option is also available. For Linux, we provide assessment services for RHEL, SLES or UBUNTU running on x86, x64 or Power platforms. Our assessment service is a 40-hour consulting service that provides a deep analysis and report of one virtual machine. The typical use case for this service is to identify safeguards that can be added to the base operating system image used when deploying new images to an AIX/Linux infrastructure. This service assesses more than 300 cybersecurity controls, including:

  1. More than 50 CIS 7.1 controls – these are globally accepted security practices designed to protect AIX/Linux infrastructures
  2. More than 250 CIS AIX/Linux benchmark settings – these are operating system hardening recommendations

NOTE: Our assessment service is a 40-hour consulting service that provides a deep analysis and report of one virtual machine. This service only requires 6 hours of your time, as the remaining time is spent by IBM in data analysis and report generation. Additional assessment options are available.


Step 2 - Traditional anti-virus/malware solution

Deploy and integrate a traditional anti-virus/malware solution.


Step 3 – Allowlisting

Deploy and integrate allowlisting on AIX/Linux. Depending on the size and complexity of your AIX/Linux infrastructure, the deployment and integration of allowlisting can take anywhere from a few days to a few months. This is because, as previously explained, allowlisting is an IG level 3 control. For AIX infrastructures, IBM Lab Services provides professional services for this step. We provide the AIX Malware Prevention PoC. This PoC service helps clients expedite the deployment and integration of AIX Trusted Execution. For Linux infrastructures, please go here. 

NOTE: The standard service is a 40-hour service.  Additional hours may be requested for extended assistance.


Step 4 – PowerSC GUI (optional)

PowerSC GUI can expedite the integration of AIX Trusted Execution and AIX/Linux security hardening settings by providing a centralized management server for the deployment, monitoring and reporting of all security hardening settings and AIX Trusted Execution configuration.

Note: PowerSC currently does not provide any support for Intel Linux; however, support for Intel Linux is expected in 4Q 2021.


IBM Lab Services provides professional services for this step. We provide the PowerSC GUI PoC. This PoC service helps clients expedite the deployment and integration of the PowerSC GUI. 

NOTE: The standard service is a 40-hour service. Additional hours may be requested for extended assistance.

A holistic approach to security

In conclusion, when considering security measures to prevent ransomware, organizations should use a holistic approach to protecting their environment as exemplified in the CIS controls. For the security controls most directly related to preventing ransomware, I recommend implementing an allowlisting solution and pairing it with a traditional anti-virus/malware solution to achieve a comprehensive defense-in-depth approach to protecting AIX/Linux infrastructures from not just ransomware, but all types of malware. 

Please contact me, Stephen Dominguez, at sdoming@us.ibm.com if you would like to set up a conference call to discuss arrangement of services or to simply learn more about our professional AIX/Linux Security consultative services.

Stephen Dominguez is the worldwide AIX/Linux security lead for IBM Systems Lab Services. Email him at sdoming@us.ibm.com if you’d like to arrange a conference call to discuss AIX and Linux security consulting services. To learn more about the cybersecurity services he provides for IBM visit his blog, www.securitysteve.net.