218:
328:
137:
After this the ransomware receives the public RSA key. The malware will then start as a daemon and delete all its original files. The trojan will encrypt files with the extensions : ".php", ".html", ".tar", ".gz", ".sql", ".js", ".css", ".txt" ".pdf", ".tgz", ".war", ".jar", ".java", ".class",
269:
When the payment to the cybercriminal is made, the victim can download a PHP script to their computer. This script will use the RSA private key to recover the symmetric AES key and decrypt all the files with the ".encrypted" extension. Along with the file decryption, the decryption tool will also
138:".ruby", ".rar" ".zip", ".db", ".7z", ".doc", ".pdf", ".xls", ".properties", ".xml" ".jpg", ".jpeg", ".png", ".gif", ".mov", ".avi", ".wmv", ".mp3" ".mp4", ".wma", ".aac", ".wav", ".pem", ".pub", ".docx", ".apk" ".exe", ".dll", ".tpl", ".psd", ".asp", ".phtml", ".aspx", ".csv".
294:
for encryption, decryption of files encrypted by the ransomware is trivial given that the original timestamp information is kept intact. Researchers at
Bitdefender Labs have found and exploited this weakness to recover the files without having to pay the criminals.
225:
The program will then generate a file called "readme_for_decryption.txt" in every folder. This file contains the
Bitcoin address generated specifically for the ransom and the website to download the decrypting tool hosted on a
64:, with the private key stored only on the malware's control servers. The malware then store a file called "readme_to_decrypt.txt" in every directory, containing a message, which offers to decrypt the data if a payment (through
113:, reported this vulnerability in April 2015. After this report, Magento issued a fix. However, a lot of small e-commerce sites did not apply this critical update. Linux host might also be attacked using other exploits.
238:
Like other ransomware, Linux.Encoder.1 use mixed-encryption algorithms to encrypt data. It starts by generating an AES key on the victim's device and encrypts all of the previous files using
84:, a Russian anti-malware company added to its virus database Linux.Encoder.1. The company then published the malware description the day after. This ransomware is written in C using the
403:
349:
38:. There are additional variants of this Trojan that target other Unix and Unix-like systems. Discovered on November 5, 2015, by
239:
54:
250:-encrypted AES key is prepended to the beginning of every encrypted file, with the original file permissions and the
53:
app. When activated, the malware encrypts certain types of files stored on mounted local and network drives using
50:
481:
31:
61:
516:
511:
254:
used by the AES algorithm. All the encrypted files have ".encrypted" added at the end of their file name.
457:
291:
251:
243:
141:
The malicious program encrypts files with the aforementioned extensions in the following directories:
521:
287:
261:
function with the timestamp at the moment of encryption as seed to generate the IV and the keys.
247:
58:
373:
167:
After this, the malware will encrypt all the files from directories with a name starting by:
126:
When run as root, the program loads two files into memory containing the attackers' demands:
72:, the malware does not state a deadline to pay and the ransom does not increase over time.
505:
431:
333:
69:
45:
Linux.Encoder.1 is remotely executed on the victim's computer by using a flaw in
350:"Website files encrypted by Linux.Encoder.1 ransomware? There is now a free fix"
283:
110:
102:
323:
28:
279:
227:
217:
305:
85:
312:
106:
81:
65:
46:
39:
258:
327:
216:
35:
270:
delete every "readme_for_decryption.txt" file on the hard drive.
404:"Linux Ransomware Debut Fails on Predictable Encryption Key"
105:
Labs, the most common infection vector is through a flaw in
221:
Content of the "readme_for_decrypt.txt" on a Linux server.
42:, this malware affected at least tens of Linux users.
304:Linux.Encoder.1 has been recompiled on Mac, called
68:) is made. Compared to other ransomware such as
374:"Encryption ransomware threatens Linux users"
8:
194:encrypt files in the following directories
482:"Ransomware Now Gunning for Your Web Sites"
340:
458:"Analyzing the Magento Vulnerability"
7:
426:
424:
398:
396:
394:
348:Bisson, David (November 10, 2015).
14:
456:Rubin, Netanel (April 20, 2015).
326:
311:There is a version that infects
27:) is considered to be the first
1:
109:, a shopping cart software.
34:targeting computers running
538:
278:Because of the use of the
257:The program use the libc
51:Content management system
62:Public-key cryptography
222:
299:On other Unix systems
220:
80:On November 5, 2015,
25:Trojan.Linux.Ransom.A
488:. November 15, 2015
410:. November 10, 2015
438:. November 5, 2015
380:. November 6, 2015
223:
486:Krebs on Security
432:"Linux.Encoder.1"
286:for creating the
234:Encryption method
190:The program will
529:
497:
496:
494:
493:
478:
472:
471:
469:
468:
462:Check Point Blog
453:
447:
446:
444:
443:
428:
419:
418:
416:
415:
408:Bitdefender Labs
400:
389:
388:
386:
385:
370:
364:
363:
361:
360:
345:
336:
331:
330:
274:Recovering files
537:
536:
532:
531:
530:
528:
527:
526:
502:
501:
500:
491:
489:
480:
479:
475:
466:
464:
455:
454:
450:
441:
439:
430:
429:
422:
413:
411:
402:
401:
392:
383:
381:
372:
371:
367:
358:
356:
347:
346:
342:
332:
325:
322:
301:
276:
267:
246:-128. Then the
236:
130:./readme.crypto
124:
122:Encrypted files
119:
117:File encryption
99:
94:
78:
21:ELF/Filecoder.A
19:(also known as
12:
11:
5:
535:
533:
525:
524:
519:
514:
504:
503:
499:
498:
473:
448:
420:
390:
365:
339:
338:
337:
321:
318:
317:
316:
309:
300:
297:
275:
272:
266:
263:
235:
232:
215:
214:
211:
208:
205:
202:
199:
188:
187:
184:
181:
178:
175:
172:
165:
164:
161:
158:
155:
152:
151:/var/lib/mysql
149:
146:
135:
134:
133:./index.crypto
131:
123:
120:
118:
115:
98:
95:
93:
90:
77:
74:
13:
10:
9:
6:
4:
3:
2:
534:
523:
520:
518:
517:Linux malware
515:
513:
512:Trojan horses
510:
509:
507:
487:
483:
477:
474:
463:
459:
452:
449:
437:
433:
427:
425:
421:
409:
405:
399:
397:
395:
391:
379:
375:
369:
366:
355:
354:Graham Cluley
351:
344:
341:
335:
329:
324:
319:
314:
310:
307:
303:
302:
298:
296:
293:
289:
285:
281:
273:
271:
264:
262:
260:
255:
253:
249:
245:
241:
233:
231:
229:
219:
212:
209:
206:
203:
200:
197:
196:
195:
193:
185:
182:
179:
176:
173:
170:
169:
168:
162:
159:
156:
153:
150:
147:
144:
143:
142:
139:
132:
129:
128:
127:
121:
116:
114:
112:
108:
104:
101:According to
96:
91:
89:
87:
83:
75:
73:
71:
67:
63:
60:
56:
52:
48:
43:
41:
37:
33:
30:
26:
22:
18:
17:Linux.Encoder
490:. Retrieved
485:
476:
465:. Retrieved
461:
451:
440:. Retrieved
435:
412:. Retrieved
407:
382:. Retrieved
377:
368:
357:. Retrieved
353:
343:
334:Linux portal
277:
268:
256:
237:
224:
191:
189:
166:
160:/etc/apache2
140:
136:
125:
100:
79:
70:CryptoLocker
49:, a popular
44:
24:
20:
16:
15:
171:public_html
103:Bitdefender
97:Propagation
522:Ransomware
506:Categories
492:2015-11-16
467:2015-11-16
442:2015-11-16
414:2015-11-16
384:2015-11-16
359:2015-11-16
320:References
265:Decryption
157:/etc/nginx
111:CheckPoint
29:ransomware
280:timestamp
230:website.
92:Operation
88:library.
76:Discovery
306:KeRanger
290:and the
213:/etc/ssh
207:/usr/bin
163:/var/log
154:/var/www
86:PolarSSL
436:Dr. Web
378:Dr. Web
313:FreeBSD
107:Magento
82:Dr. Web
66:Bitcoin
47:Magento
40:Dr. Web
259:rand()
201:/root/
180:backup
177:webapp
32:Trojan
282:as a
228:onion
148:/root
145:/home
36:Linux
288:keys
284:seed
210:/bin
204:.ssh
186:.svn
183:.git
57:and
23:and
248:RSA
244:CBC
240:AES
192:not
174:www
59:RSA
55:AES
508::
484:.
460:.
434:.
423:^
406:.
393:^
376:.
352:.
292:IV
252:IV
495:.
470:.
445:.
417:.
387:.
362:.
315:.
308:.
242:-
226:.
198:/
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
