Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Ransomware Has Predictable Key, Automated Decryption Tool Released (csoonline.com)

Posted by samzenpus on from the protect-ya-neck dept.

itwbennett writes: Last week a new piece of ransomware was discovered that targets Linux servers. Yesterday, researchers at Bitdefender discovered a critical flaw in how the ransomware (dubbed Linux.Encoder.1) operates while testing a sample in their lab and released a free tool that will automatically decrypt any files on a victim's system that were targeted.

7 of 78 comments (clear)

  1. Linux.Encoder.2 by bloodhawk · · Score: 3, Insightful

    soo Linux.Encoder.2 out soon?

    1. Re:Linux.Encoder.2 by Attila+the+Bun · · Score: 3, Funny

      If it was open source there'd be a patch already.

    2. Re:Linux.Encoder.2 by crtreece · · Score: 2
      Linux.Encoder.2: Electric Boogaloo

      Coming soon to a DataCenter near you.

      --
      file: .signature not found
  2. The malware is injected into Web sites .. by nickweller · · Score: 3, Informative

    "Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such as shopping cart programs. ref

    "Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:" ref

  3. Re:Still No Word On Infectoin Vector by grahamsz · · Score: 5, Informative

    I had a server hit by this a few weeks ago. Got the same ransom message shown there. I'm fairly sure it didn't require root, in fact it only encrypted files that were writable by www-data and not the handful in /var/www that were owned by root. The README_FOR_DECRYPT.txt file that was left in every directory was also owned by www-data.

    I'm not sure what was posted in, but the infection mechanism appears to be this single request

    46.160.xxx.xxx - - [19/Oct/2015:05:14:06 -0400] "POST /wp-content/include.php HTTP/1.0" 404 135395 "-" "Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"

    I'm still not really sure how that caused an infection, but i'm guessing it exploited something in the wordpress 404 handler? I don't see any other request from that IP and the server load spiked right after that as the files starting being encrypted.

  4. Re:Still No Word On Infectoin Vector by fearlezz · · Score: 2

    I think the 404 doesn't necessarily mean something is wrong with the WP 404 handler. It could have been generated by the malware itself with <?php header("HTTP/1.1 404 Not Found"); ?> Seeing a 404 in the logs will probably make a lot of victims believe that line was not related to the intrusion.

    --
    .sig: No such file or directory
  5. Re:So let's get this straight by Applehu+Akbar · · Score: 2

    Many of the lusers at my employer of 900 people get malware often. they click on links in obvious scam emails, open attachments that are promised to be cool, etc.

    In short, the idiots are out there and working hard at it

    Ransomware is not as blatant as that because the most lucrative targets are businesses. Typically the vector is an official-looking email that says something like "Track the package you ordered by clicking here..."