This article is more than 1 year old
Thanks for playing: New Linux ransomware decrypted, pwns itself
Romanian researchers lay waste to Linux badware, let users out of Cryptowall hell.
Ransomware targeting Linux servers has been thwarted by hard working security boffins, with help from the software itself, mere days after its existence was made public.
The Linux.Encoder.1 ransomware seeks Linux systems to encrypt and like others of its ilk demands owners pay BitCoins to have files decrypted.
But the first iteration of the malware has, like most betas, proven fallible.
Not only can it be decrypted using scripts without the need for ransoms to be paid, but it can re-encrypt itself, corrupting files and even encrypting the ransom note that directs victims how to pay the extortion.
Bitdefender security wonks report both failures, including the flaw in Linux.Encoder's local encryption key generation that allowed it to be removed and files decrypted.
"We looked into the way the (AES) key and initialisation vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab," crypto geek Radu Caragea says.
"The tool determines the initialisation vector and the encryption key simply by analysing the file, then performs the decryption, followed by permission fixing.
"If your machine has been compromised, consider this a close shave. Most crypto-ransomware operators pay great attention to the way keys are generated in order to ensure your data stays encrypted until you pay."
The secure random keys and initialisation vectors generate information from the libc rand() function, and are seeded with the current system timestamp at the point of encryption.
"This information can be easily retrieved by looking at the file’s timestamp [and] is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the" attacker's key, he says.
Caragea says BitDefender's tool (available for free on its site) may not work for those Linux admins who have been infected with multiple instances of the Linux ransomware.
This is because files are encrypted using different keys which generates a race condition that truncates some file contents to zero.
The obliteration of Linux.Encoder.1 comes days after BitDefender released a preventative tool that would prevent the reigning ransomware kings Cryptowall and CTB Locker from executing on victim systems. It does so by preventing executables running from the Windows AppData and Startup folders
Those ransomware variants including the fourth iteration of Cryptowall also released this week are well built and do not contain publicly-known encryption implementation flaws that could allow files to be decrypted without payment. ®