Ransomware having Growth Spurt

Wednesday, November 18, 2015 @ 10:11 AM gHale

The list of web sites infected with the Linux file-encrypting ransomware named Linux.Encoder1 is continuing to rise, researchers said.

When researchers discovered the malware earlier this month, Russian antivirus firm Dr. Web reported the threat had infected some computers, but the number has continued to go up.

Ransomware Focus: Linux Servers
New Ransomware Hitting Systems
Cisco Ends Ransomware Campaign
Ransomware Target: SMBs

The ransomware infects Linux machines set up to host websites by exploiting vulnerabilities in the Magento e-commerce platform and various content management systems (CMSs), researchers said.

The malware targets the root and home folders, and directories storing websites, web servers, backups and source code. The extent of the damage caused by the threat depends on the type of privileges it can obtain on the targeted system.

Based on a Google search for the ransom note dropped by Linux.Encoder1, Dr. Web found 2,000 websites affected.

This Linux encryption ransomware uses strong encryption to ensure that victims cannot recover their files without paying the one Bitcoin ($380) ransom.

Files end up encrypted using the AES-128 algorithm with a key generated locally on the infected device. The key then ends up encrypted with an RSA public key and since the private key needed for decryption only stores on the attacker’s machine, it should be nearly impossible to recover files.

Researchers discovered the AES key can easily end up recovered since the malware generates the key based on a system timestamp obtained at the moment of encryption. It is possible to pull the timestamp from the encrypted file.