Encryption ransomware threatens Linux users

lxskllr

No Lifer
Nov 30, 2004
57,905
8,174
126
Once launched with administrator privileges, the Trojan dubbed Linux.Encoder.1 downloads files containing cybercriminals' demands and a file with the path to a public RSA key. After that, the malicious program starts as a daemon and deletes the original files. Subsequently, the RSA key is used to store AES keys which will be employed by the Trojan to encrypt files on the infected computer.

Not sure how that happens. What would posess a site owner to download and run some random executable?
 

blankslate

Diamond Member
Jun 16, 2008
8,701
507
126
Not sure how that happens. What would posess a site owner to download and run some random executable?

Probably a person who recently became a user of linux with more time using Windows or OSX. There are plenty of non-security conscious users to be had from there


__________________
 

lxskllr

No Lifer
Nov 30, 2004
57,905
8,174
126
Probably a person who recently became a user of linux with more time using Windows or OSX. There are plenty of non-security conscious users to be had from there


__________________

There's a lot less need when running a GNU/Linux server though. It's not like they're downloading cracked games, or Photoshop. Everything needed should be in the repos. Doing anything else is harder, and against tutorials one might find.
 

Red Squirrel

No Lifer
May 24, 2003
68,306
12,547
126
www.anyf.ca
Yeah nothing foreign should ever be executed on a server anyway. Though of course you have stuff like heartbleed and shell shock and who knows what else has not been discovered yet that would allow a hacker to execute stuff remotely, so if those arn't patched you could be in a world of hurt.
 

TheRyuu

Diamond Member
Dec 3, 2005
5,479
14
81
There's an automatic decryption tool available[1]. It seems this ransomware has some not so great crypto so it made it possible to recover the AES keys that were used to encrypt the files.

We mentioned that the AES key is generated locally on the victim’s computer. We looked into the way the key and initialization vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab. We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the file’s timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojan’s operator(s).

[1] http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/