Header Ads








Linux.Encoder.1 First Ramsomeware Targets Linux Powered Website and Server

Linux.Encoder.1 by Russian antivirus firm Dr.Web, the new strain of ransomware targets Linux-powered websites and servers by encrypting MySQL, Apache, and home/root folders associated with the target site and asking for 1 Bitcoin (~ $300) to decrypt the files.

Until security researchers create a decryption program, they recommend webmasters to backup all important data and keep all their files in place in case they are targeted.

Once infected, the Linux.Encoder.1 malware encrypts all files in the Home directories on the system as well as Backup directories and the System Folders associated with Web site files, pages, images, code libraries and scripts.




Ransomware Uses AES Encryption
According to the security researchers, the ransomware in question needs root privileges to work. Additionally, when it launches, the malware starts downloading:

  1. The Ransom Message containing the demands of fraudsters
  2. A file containing the public RSA key

After that, the Ransomware starts as a daemon and deletes all of the original files. The RSA key is then used to store AES keys that are used by the ransomware to encrypt the local files on the infected computer.


The ransomware also adds the .encrypt extension to each file it encrypts and writes a ransom text message in every folder.


The malware specifically encrypts files in folders that are typically found in Linux Web server setups, including directories like home, root, MySQL, Apache, and any directory that includes terms such as git, svn, webapp, www, public_html, or backup.

Moreover, the ransomware looks for files that have extensions specific to Web development environments including .js, .css, .properties, .xml, .ruby, .php, .html, .gz, and .asp, as well as other file extensions like .rar, .7z, .xls, .pdf, .doc, .avi, .mov, .png, and .jpg.
Once the victim pays the ransom amount
1 Bitcoin (~ $300), the system receives a signal to pass over the directories again to decrypt the files.




No comments

blogmytuts. Powered by Blogger.