Ransomware Found Targeting Linux Servers and Coding Repositories

Exterminator

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Content source
http://news.softpedia.com/news/ransomware-found-targetting-linux-servers-and-coding-repositories-495836.shtml
A newly discovered ransomware is attacking Linux Web servers, taking aim at Web development environments used to host websites or code repositories.

Russian antivirus maker Dr.Web came across this malware and said that the ransomware needs root privileges to work. Additionally, the company also said it does not yet know how the ransomware infects computers, but taking into account previous Linux-based malware infections, the main culprit may by an open SSH port with weak credentials (not confirmed).

The ransomware uses AES encryption to lock down files
As for its modus operandi, when the ransomware launches, it starts to download the ransom message, and then a file containing the public RSA key. The latter key is then used to store AES keys used to encrypt the local files.

When this happens, the ransomware adds the .encrypt extension to each file, and places a ransom text message in each folder where it encrypts data.

The ransomware has a taste for Web pages and their associated file extension
The malware specifically targets files in folders that are generally found in Linux Web server setups, or in coding and development environments.

This includes directories like /home, /root, /var/lib/mysql, /var/www, /etc/nginx, /etc/apache2, /var/log, and any directory that includes terms like git, svn, webapp, www, public_html, or backup. The ransomware also looks for files that have extensions specific to Web devolopment environments like .js, .css, .properties, .xml, .ruby, .php, .html, .gz, .asp, and such. Other file extensions known to host data are also covered (.rar, .7z, .xls, .pdf, .doc, .avi, .mov, .png, .jpg, etc.).

Dr.Web detects the ransomware as Linux.Encoder.1. After careful analysis, the company said that Linux.Encoder.1 is coded in C and also uses the PolarSSL library.

Below is an image of the ransom note presented to victims. The ransom is for 1 Bitcoin ($300-$400) only, which is below the average of 2-4 Bitcoin which most ransomware operators ask.
Click to expand...
 
  • Like
Reactions: frogboy, LabZero, Sr. Normal and 1 other person
L

LabZero

There have been three major ransomware-related pieces of news in the past week: the launch of CryptoWall 4.0, theLinux.Encoder.1 ransomware targeting Web servers and coding repositories, and the stupid ransomware that hijacked files and threw away the encryption key. The score is now: Bitdefender - 2, Ransomware - 1.

After yesterday the company released an updated version of their CryptoWall Vaccinethat allows users to prevent CryptoWall 4.0 infections, last night, the company also managed to find a way to deal with Linux.Encode.1 infections.

To better understand what Bitdefender's security researchers discovered, a short intro to how this particular ransomware works is needed.

For each file it encrypts, Linux.Encoder.1 uses an AES symmetric key, meaning the same key for encryption and decryption operations. This particular type of encryption algorithm is low on system resources and allows the ransomware to encrypt big files without taking too much time and hoarding local CPU and memory.

Once the file is encrypted using the AES key, to avoid this key from being cracked, the ransomware also encrypts it, but using an RSA asymmetric key, meaning a different key for encryption and decryption operations. This type of encryption requires more resources and time to crack but works fast enough when dealing with small tidbits of data.

While AES encryption takes place locally, the RSA keys are generated on the C&C server, with one (private) key being stored on the hacker's server, and the other (public key) sent to the victim to encrypt the AES key.
Linux.Encoder.1 comes with a major flaw in its encryption process
According to Bitdefender's team, they have identified a flaw in how the ransomware operates.

"We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption," says Bitdefender's Bogdan Botezatu.

This allowed the Bitdefender team to look at the encrypted file's timestamp information, pass it through the libc rand() function and obtain the AES encryption key used by the Linux.Encoder.1 ransomware. As we mentioned above, AES is a symmetric key, and thus the same key obtained above can also be used to decrypt files.

Bitdefender has created a decryption toolthat automates this entire process, which it is offering for free, along with installation instructions.

Linux.Encoder.1 Ransomware Has Predictable Encryption Key, Can Be Removed
 
  • Like
Reactions: mattmx and frogboy
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
Meet NoEscape: Avaddon ransomware gang's likely successor
Replies
0
Views
849
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
vtqhtr413
    • Like
    • Wow
    • +Reputation
New ransomware fakes Windows Update to trick home users
Replies
5
Views
1,638
News Archive
upnorth
upnorth
Gandalf_The_Grey
    • Like
    • +Reputation
The Week in Ransomware - September 29th 2023 - Dark Angels
Replies
0
Views
1,270
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top