Plain cruelty: Boffins flay Linux ransomware for the third time

World's most determined VXers can't get a break


Probably the world's most tragically determined blackhat developers have had their revitalised Linux.Encoder ransomware pwned again by meddling BitDefender whitehats.

The third iteration of the Linux.Encoder ransomware was unleashed on the world, infecting a paltry 600 servers before a crack team of security analysts returned to rip it apart.

Once again, instead of paying the VXers a Bitcoin to fund training them out of hopelessness, victims can run BitDefender's decryption utility to release their locked-up files free of charge.

Linux.Encoder's defiant developers took lesson from the failings of the first and second versions which were ripped up days after release such that victims could decrypt their files for free, neutering the malware.

They even heeded Twitter invective from the sarcastic security swarm which proffered cryptographic clues about how they may improve their net nasty.

It was not enough, according to BitDefender boffin Radu Caragea.

"As we expected, the creators of Linux.Encoder have fixed their previous bugs and have come up with a new and improved variant," Caragea says.

"Luckily for the victims, the new variant of Linux.Encoder is still vulnerable to key recovery attacks."

Bitdefender highlighted that in earlier versions file modification time could be used to work out the ransomware's random key generation and to reverse the encryption.

Twitter scoffed, pointing out that the method is insecure and should be altered.

"Apparently, the operators actually took note of these sarcastic recommendations; as a result, the IV (initialisation vector) is now generated from a hash of the file size and the filename – 32 bytes from rand() are hashed 8 times and used as the AES-256 key," Caragea says.

And the attackers still made n00b-level coding errors. For example, there's a missing static link in the libc library that stops the ransomware launching on older systems that would be easier to pwn.

Caragea called the last Linux.Encoder variant a counterstrike a "close shave" and says victims who escape the grasp of the third version may not get a fourth chance.

"While this is the third lucky strike, please make sure that, after recovery, you update the vulnerable platforms and stop this type of attack cold in the first place."

"Next time, hackers could actually come up with a working version of the ransomware that won’t be as easy to decrypt." ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • If you didn't store valuable data, ransomware would become impotent
    Start by pondering if customers could store their own info and provide access

    Column Sixteen years ago, British mathematician Clive Humby came up with the aphorism "data is the new oil".

    Rather than something that needed to be managed, Humby argued data could be prospected, mined, refined, productized, and on-sold – essentially the core activities of 21st century IT. Yet while data has become a source of endless bounty, its intrinsic value remains difficult to define.

    That's a problem, because what cannot be valued cannot be insured. A decade ago, insurers started looking at offering policies to insure data against loss. But in the absence of any methodology for valuing that data, the idea quickly landed in the "too hard" basket.

    Continue reading
  • What if ransomware evolved to hit IoT in the enterprise?
    Proof-of-concept lab work demos potential future threat

    Forescout researchers have demonstrated how ransomware could spread through an enterprise from vulnerable Internet-of-Things gear.

    The security firm's Vedere Labs team said it developed a proof-of-concept strain of this type of next-generation malware, which they called R4IoT. After gaining initial access via IoT devices, the malware moves laterally through the IT network, deploying ransomware and cryptocurrency miners while also exfiltrating data, before taking advantage of operational technology (OT) systems to potentially physically disrupt critical business operations, such as pipelines or manufacturing equipment.

    In other words: a complete albeit theoretical corporate nightmare.

    Continue reading

Biting the hand that feeds IT © 1998–2022