Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Thanks for playing: New Linux ransomware decrypted, pwns itself

Romanian researchers lay waste to Linux badware, let users out of Cryptowall hell.

Ransomware targeting Linux servers has been thwarted by hard working security boffins, with help from the software itself, mere days after its existence was made public.

The Linux.Encoder.1 ransomware seeks Linux systems to encrypt and like others of its ilk demands owners pay BitCoins to have files decrypted.

But the first iteration of the malware has, like most betas, proven fallible.

Not only can it be decrypted using scripts without the need for ransoms to be paid, but it can re-encrypt itself, corrupting files and even encrypting the ransom note that directs victims how to pay the extortion.

Bitdefender security wonks report both failures, including the flaw in Linux.Encoder's local encryption key generation that allowed it to be removed and files decrypted.

"We looked into the way the (AES) key and initialisation vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab," crypto geek Radu Caragea says.

"The tool determines the initialisation vector and the encryption key simply by analysing the file, then performs the decryption, followed by permission fixing.

"If your machine has been compromised, consider this a close shave. Most crypto-ransomware operators pay great attention to the way keys are generated in order to ensure your data stays encrypted until you pay."

The secure random keys and initialisation vectors generate information from the libc rand() function, and are seeded with the current system timestamp at the point of encryption.

"This information can be easily retrieved by looking at the file’s timestamp [and] is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the" attacker's key, he says.

Caragea says BitDefender's tool (available for free on its site) may not work for those Linux admins who have been infected with multiple instances of the Linux ransomware.

This is because files are encrypted using different keys which generates a race condition that truncates some file contents to zero.

The obliteration of Linux.Encoder.1 comes days after BitDefender released a preventative tool that would prevent the reigning ransomware kings Cryptowall and CTB Locker from executing on victim systems. It does so by preventing executables running from the Windows AppData and Startup folders

Those ransomware variants including the fourth iteration of Cryptowall also released this week are well built and do not contain publicly-known encryption implementation flaws that could allow files to be decrypted without payment. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like