Linux.Encoder.1 has been broken by researchers, administrators warned that this flaw was a lucky one Last week, researchers from Russian antivirus vendor Doctor Web discovered a new Ransomware family targeting Linux systems.They called the malware Linux.Encoder.1, and warned administrators with Magento installations to patch immediately, as the malware was observed targeting flaws in CMS software.Linux.Encoder.1 starts in the home directory, and targets a number of common file formats including, PHP, HTML, TAR, GZ, JPG, TPL, RUBY, JAR, etc. IDG’s Lucian Constantin explained the seriousness of the situation when it comes to attacks against Linux, in a post on CSO earlier today.“Unlike consumer PCs or business workstations, Web servers are more likely to have a backup routine configured. However, this ransomware program also encrypts archives and directories that contain the word backup, so it’s critically important to regularly save backups to a remote server or offline storage,” he wrote. On Monday, researchers at Bitdefender discovered a critical flaw in how Linux.Encoder.1 operates while testing a sample in their lab.The key aspect of the flaw also helps exploit it, an AES key that is generated locally on the victim’s computer. “We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the file’s timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojan’s operator(s),” the company explained in a recent post.Exploiting this fundamental weakness, Bitdefender released a tool that will automatically decrypt any files on a victim’s system that were targeted.The tool and instructions are available on Bitdefender’s post, the company will also offer free support for those who need it.“If your machine has been compromised, consider this a close shave. Most crypto-ransomware operators pay great attention to the way keys are generated in order to ensure your data stays encrypted until you pay,” Bitdefender stressed.The takeaway, Bitdefender says, is that while the mistakes made by the malware’s developers are extremely fortunate, they’re also extremely rare. Now that Linux is a known target, mistakes like this will be few and far between.Again, if it wasn’t for the flaw, the only thing that would save the infected systems is a full restore. However, because it targets backups, administrators are urged to use off-site backups when possible. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe