Linux Ransomware has predictable key, automated decryption tool released

Linux.Encoder.1 has been broken by researchers, administrators warned that this flaw was a lucky one

linux penguin shoot
Credit: CSO staff

Last week, researchers from Russian antivirus vendor Doctor Web discovered a new Ransomware family targeting Linux systems.

They called the malware Linux.Encoder.1, and warned administrators with Magento installations to patch immediately, as the malware was observed targeting flaws in CMS software.

Linux.Encoder.1 starts in the home directory, and targets a number of common file formats including, PHP, HTML, TAR, GZ, JPG, TPL, RUBY, JAR, etc. IDG's Lucian Constantin explained the seriousness of the situation when it comes to attacks against Linux, in a post on CSO earlier today.

"Unlike consumer PCs or business workstations, Web servers are more likely to have a backup routine configured. However, this ransomware program also encrypts archives and directories that contain the word backup, so it's critically important to regularly save backups to a remote server or offline storage," he wrote.

On Monday, researchers at Bitdefender discovered a critical flaw in how Linux.Encoder.1 operates while testing a sample in their lab.

The key aspect of the flaw also helps exploit it, an AES key that is generated locally on the victim’s computer.

"We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the file’s timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojan’s operator(s)," the company explained in a recent post.

Exploiting this fundamental weakness, Bitdefender released a tool that will automatically decrypt any files on a victim's system that were targeted.

The tool and instructions are available on Bitdefender's post, the company will also offer free support for those who need it.

"If your machine has been compromised, consider this a close shave. Most crypto-ransomware operators pay great attention to the way keys are generated in order to ensure your data stays encrypted until you pay," Bitdefender stressed.

The takeaway, Bitdefender says, is that while the mistakes made by the malware's developers are extremely fortunate, they're also extremely rare. Now that Linux is a known target, mistakes like this will be few and far between.

Again, if it wasn't for the flaw, the only thing that would save the infected systems is a full restore. However, because it targets backups, administrators are urged to use off-site backups when possible.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.