Ransomware Focus: Linux Servers

Tuesday, November 10, 2015 @ 04:11 PM gHale

A new piece of ransomware is going after Linux Web servers targeting Web development environments.

Russian antivirus maker Dr. Web came across this malware and said the ransomware needs root privileges to work. Additionally, the company also said it does not yet know how the ransomware infects computers.

New Ransomware Hitting Systems
Cisco Ends Ransomware Campaign
Ransomware Target: SMBs
Age of New and Different

When the ransomware launches, it starts to download the ransom message, and then a file containing the public RSA key. The key then stores AES keys used to encrypt the local files.

When this happens, the ransomware adds the .encrypt extension to each file and places a ransom text message in each folder where it encrypts data.

The malware specifically targets files in folders found in Linux Web server setups, or in coding and development environments.

This includes directories like /home, /root, /var/lib/mysql, /var/www, /etc/nginx, /etc/apache2, /var/log, and any directory that includes terms like git, svn, webapp, www, public_html, or backup.

The ransomware also looks for files that have extensions specific to Web development environments like .js, .css, .properties, .xml, .ruby, .php, .html, .gz, .asp, and such. Other file extensions known to host data are also covered (.rar, .7z, .xls, .pdf, .doc, .avi, .mov, .png, .jpg, etc.).

Dr. Web detects the ransomware as Linux.Encoder.1. After careful analysis, the company said Linux.Encoder.1 ended up coded in C and also uses the PolarSSL library.

The ransom is for 1 Bitcoin ($300-$400) only, which is below the average of 2-4 Bitcoin most ransomware operators ask.