A short time ago, a ransomware was discovered that targeted Linux users. One has the malware named Linux.Encoder.1 denoted.
If the malicious code was able to infect a server or computer, various files were encrypted. To obtain the key, the cyber extortionists demanded a bitcoin.
However, it must also be said that you can actually only get infected through your own fault. An administrator must run the file with root privileges and only then can Linux.Encoder.1 to make its mischief.
Linux.Encoder.1 can be cracked
Fortunately, there are clever minds not only on the dark side of digital power, but also the others have something up their sleeve. In this case it is Bitdefender Labs.
The company reports that you don't need to crack RSA if you can guess the key.
The developers have made a mistake, which the experts at Bitdefender noticed when they downloaded a sample of Linux.Encoder.1 taken under closer scrutiny.
The AES key is generated locally on the victim's computer. Now you have a bit of reverse engineering on Linux.Encoder.1 and looked at how the key and initialization vector are generated. Instead of taking completely random keys and IVs, the malware took this information from the rand() function plus the timestamp of when the file was encrypted. Now you already had a big piece of the puzzle, as you can obtain this timestamp from the encrypted file. It is quite a flaw in the design because you can get the AES key without having to buy the public RSA key.
Automatic tool for decryption is available
Who from Linux.Encoder.1 is infected, can now have his system automatically decrypted – or the files restored to the state before encryption with the malicious code. The tool determines the IV and the key by simply analyzing the file. If you can start a compromised system, you should download the script and run it as superuser root.
It may be that the entire system is compromised and simply won't boot up. In this case you have to boot from a live CD.
With these files Linux.Encoder.1 beat
Step by step
- First of all, download the script from Bitdefender Labs
- It is necessary to mount the partition with encrypted files.Use this command to create a list of encrypted files: sort_files.sh encrypted_partition> sorted_list
- Then you run a head command to get to the first file: head -1 sorted_list
- Now let's run the tool for decryption: python decrypter.py -f [first_file]
- Now decrypt everything using the information you just output (seed): python /tmp/new/decrypter.py -s [timestamp] -l sorted_list
Bitdefender writes that the task is not necessarily trivial. For this reason, they offer free support for all users who need help in this case. One should simply use the comment form on the page.
Linux.Encoder.1 was the first malware or ransomware of its kind for Linux. The cybercriminals will most likely try this again and certainly learn from their own mistakes. For the moment, it seems that careless administrators will get off lightly. They should also learn and have backups accordingly in the future and if you are going to use software from dubious sources, try something like this on a test system first.