Doctor Web warns users about new encryption ransomware targeting Linux operating systems. http://news.drweb.com/show/?i=9686&lng=en
Once launched with administrator privileges, the Trojan dubbed Linux.Encoder.1 downloads files containing cybercriminals' demands and a file with the path to a public RSA key. After that, the malicious program starts as a daemon and deletes the original files. Subsequently, the RSA key is used to store AES keys which will be employed by the Trojan to encrypt files on the infected computer.
Not sure how that happens. What would posess a site owner to download and run some random executable?
Probably a person who recently became a user of linux with more time using Windows or OSX. There are plenty of non-security conscious users to be had from there
__________________
We mentioned that the AES key is generated locally on the victims computer. We looked into the way the key and initialization vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab. We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the files timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojans operator(s).