The ransomware was discovered by Russian anti-malware company Dr. Web on Nov. 6 The firm initially reported that the Linux Encoder.1 has infected only a few Web servers, but on Nov. 13 said that no less that 2,000 Web sites have been compromised.
The ransomware mainly targets Web sites deployed on servers running Linux and created using content management systems (CMS) such as WebPress. It also attacks online store management systems such as Magento.
“To mount attacks, virus makers exploited an unidentified vulnerability,” according to Dr. Web. “Once cybercriminals could get access to a Web site, the error.php file was planted on that Internet resource (for Magento, it was placed into the skin/system directory). That file acted as a shell script allowing cyber criminals to perform other illegal actions, in particular, by sending it various commands.”
Ransom in Bitcoins demanded
The malware’s activities are not limited to the Web server directory, according to Dr. Web. Linux.Encoder.1 saves the README_FOR_DECRYPT.txt file containing decryption instructions and the cybercriminals’ demands on the server disk
Attacks on e-commerce sites using Magento are similar to ransomware attacks like CryptoWall and Torlocker.
“Once the files have been encrypted, the Trojan attempts to also encrypt the contents of the root (/), skipping only critical systems files so the operating system will be able to boot up again,” according to Romanian security software firm BitDefender. “At this point, it would be safe to assume that users can’t get their data back unless the pay the operators a fee in exchange for the RSA private key to decrypt the AES symmetric one.”
At the moment, the price to unlock hostaged files stands at around $325 in Bitcoins.
BitDefender said that a major flaw in the way the Trojan was designed allowed the firm to recover the AES key without needing to decrypt it with the RSA private key.
How to get rid of Linux.Encoder.1
If you suspect your system has been infected by Linux.Encoder.1, don’t panic.
Dr. Web recommends the following steps:
- Notify the police.
- Do not, under any circumstances, attempt to change the contents of directories with encrypted files
- Do not delete any files from the server
The company offers free Trojan removal services for its customers.
BitDefender also issued a free Trojan removal tool as well as these instructions in getting back your data:
- Download the script for the ransomware fix here
- Mount the encrypted partition using the mount /dev[encypted_partition]
- Generate a list of encrypted files issuing the following command: /mnt# sort_files.sh encrypted_partition > sorted_list
- Issue a head command to get the first file: /mnt# head – 1 sorted_list
- Run the decryption utility to get the encryption seed: /mnt# python /tmp/new/decrypter.py –s [timestamp] –| sorted_list
BitDefender also offers free support for users that need assistance.
To avoid getting infected again follow these recommendations:
- Never run applications that you don’t completely trust as root user
- Backup early, backup often
- If your Linux device is on an organization’s network consider adding a security solution or anti-malware that blocks this type of threat
- Update Web applications as often as possible
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…