This article is more than 1 year old
Plain cruelty: Boffins flay Linux ransomware for the third time
World's most determined VXers can't get a break
Probably the world's most tragically determined blackhat developers have had their revitalised Linux.Encoder ransomware pwned again by meddling BitDefender whitehats.
The third iteration of the Linux.Encoder ransomware was unleashed on the world, infecting a paltry 600 servers before a crack team of security analysts returned to rip it apart.
Once again, instead of paying the VXers a Bitcoin to fund training them out of hopelessness, victims can run BitDefender's decryption utility to release their locked-up files free of charge.
Linux.Encoder's defiant developers took lesson from the failings of the first and second versions which were ripped up days after release such that victims could decrypt their files for free, neutering the malware.
They even heeded Twitter invective from the sarcastic security swarm which proffered cryptographic clues about how they may improve their net nasty.
Reminder to everyone: srand(time()) is not cryptographically secure! You need to do srand(md5(time())).
— the grugq (@thegrugq) November 11, 2015
It was not enough, according to BitDefender boffin Radu Caragea.
"As we expected, the creators of Linux.Encoder have fixed their previous bugs and have come up with a new and improved variant," Caragea says.
"Luckily for the victims, the new variant of Linux.Encoder is still vulnerable to key recovery attacks."
Bitdefender highlighted that in earlier versions file modification time could be used to work out the ransomware's random key generation and to reverse the encryption.
Twitter scoffed, pointing out that the method is insecure and should be altered.
"Apparently, the operators actually took note of these sarcastic recommendations; as a result, the IV (initialisation vector) is now generated from a hash of the file size and the filename – 32 bytes from rand() are hashed 8 times and used as the AES-256 key," Caragea says.
And the attackers still made n00b-level coding errors. For example, there's a missing static link in the libc library that stops the ransomware launching on older systems that would be easier to pwn.
Caragea called the last Linux.Encoder variant a counterstrike a "close shave" and says victims who escape the grasp of the third version may not get a fourth chance.
"While this is the third lucky strike, please make sure that, after recovery, you update the vulnerable platforms and stop this type of attack cold in the first place."
"Next time, hackers could actually come up with a working version of the ransomware that won’t be as easy to decrypt." ®
Biting the hand that feeds IT
