New encryption ransomware targets Linux systems...

Ransomware has reared its ugly head again and this time it’s Linux users who have been targeted. Known as Linux.Encoder.1 malware, personal and business websites are being attacked and a bitcoin payment of around $500 is being demanded for the decryption of files.

The reason for the alert...
A vulnerability in the Magento CMS was discovered by attackers who quickly exploited the situation. Whilst a patch for critical vulnerability has now been issued for Magento, it is too late for those web administrators who awoke to find the message which included the chilling message “Your personal files are encrypted! Encryption was produced using a unique public key…to decrypt files you need to obtain the private key…you need to pay 1 bitcoin (~420USD)” It is also thought that attacks could have taken place on other content management systems which makes the number affected currently unknown.

How the malware strikes...
The malware hits through being executed with the levels of an administrator. All the home directories as well as associated website files are all affected with the damage being carried out using 128-bit AES crypto. This alone would be enough to cause a great deal of damage but the malware goes further in that it then scans the entire directory structure and encrypts various files of different types. Every directory it enters and causes damage to through encryption, a text file is dropped in which is the first thing the administrator sees when they log on.

There are certain elements the malware is seeking and these are:
Apache installations
Nginx installations
MySQL installs which are located in the structure of the targeted systems

From reports, it also seems that log directories are not immune to the attack and neither are the contents of the individual webpages. The last places it hits – and perhaps the most critical include:
Windows executables
Document files
Program libraries
Active Server (.asp)file Pages

The end result is that a system is being held to ransom with businesses knowing that if they can’t decrypt the files themselves then they have to either give in and pay the demand or have serious business disruption for an unknown period of time.

Demands made...
In every directory encrypted, the malware attackers drop a text file called README_FOR_DECRYPT.txt. Demand for payment is made with the only way for decryption to take place being through a hidden site through a gateway. If the affected person or business decides to pay, the malware is programmed to begin decrypting all the files and it then begins to undo the damage. It seems that it decrypts everything in the same order of encryption and the parting shot is that it deletes all the encrypted files as well as the ransom note itself.

What to do if affected...
Whilst there is now an automated decryption tool which has speedily been developed for those hit by Linux.Encoders.1, the depth of damage caused for some companies may mean that specialist assistance is preferred in the form of a data recovery company. This would be to ensure that all the original data is recovered and that no residual damage has been caused to operating systems and the associated files.