Linux.Encoder

Linux.Encoder (also known as ELF/Filecoder.A and Trojan.Linux.Ransom.A) is considered to be the first ransomware Trojan targeting computers running Linux.^[1] There are additional variants of this Trojan that target other Unix and Unix-like systems. Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.^[2]

Linux.Encoder.1 is remotely executed on the victim's computer by using a flaw in Magento, a popular Content management system app. When activated, the malware encrypts certain types of files stored on mounted local and network drives using AES and RSA Public-key cryptography, with the private key stored only on the malware's control servers. The malware then store a file called "readme_to_decrypt.txt" in every directory, containing a message, which offers to decrypt the data if a payment (through Bitcoin) is made.^[3] Compared to other ransomware such as CryptoLocker, the malware does not state a deadline to pay and the ransom does not increase over time.

Discovery[edit]

On November 5, 2015, Dr. Web, a Russian anti-malware company added to its virus database Linux.Encoder.1. The company then published the malware description the day after. This ransomware is written in C using the PolarSSL library.^[4]

Operation[edit]

Propagation[edit]

According to Bitdefender Labs, the most common infection vector is through a flaw in Magento, a shopping cart software. CheckPoint, reported this vulnerability in April 2015.^[5] After this report, Magento issued a fix. However, a lot of small e-commerce sites did not apply this critical update.^[6] Linux host might also be attacked using other exploits.

File encryption[edit]

Encrypted files[edit]

When run as root, the program loads two files into memory containing the attackers' demands:

./readme.crypto
./index.crypto

After this the ransomware receives the public RSA key. The malware will then start as a daemon and delete all its original files. The trojan will encrypt files with the extensions : ".php", ".html", ".tar", ".gz", ".sql", ".js", ".css", ".txt" ".pdf", ".tgz", ".war", ".jar", ".java", ".class", ".ruby", ".rar" ".zip", ".db", ".7z", ".doc", ".pdf", ".xls", ".properties", ".xml" ".jpg", ".jpeg", ".png", ".gif", ".mov", ".avi", ".wmv", ".mp3" ".mp4", ".wma", ".aac", ".wav", ".pem", ".pub", ".docx", ".apk" ".exe", ".dll", ".tpl", ".psd", ".asp", ".phtml", ".aspx", ".csv".

The malicious program encrypts files with the aforementioned extensions in the following directories:

/home
/root
/var/lib/mysql
/var/www
/etc/nginx
/etc/apache2
/var/log

After this, the malware will encrypt all the files from directories with a name starting by:

public_html
www
webapp
backup
.git
.svn

The program will not encrypt files in the following directories

/
/root/
.ssh
/usr/bin
/bin
/etc/ssh

Content of the "readme_for_decrypt.txt" on a Linux server.

The program will then generate a file called "readme_for_decryption.txt" in every folder. This file contains the Bitcoin address generated specifically for the ransom and the website to download the decrypting tool hosted on a .onion website.

Encryption method[edit]

Like other ransomware, Linux.Encoder.1 use mixed-encryption algorithms to encrypt data. It starts by generating an AES key on the victim's device and encrypts all of the previous files using AES-CBC-128. Then the RSA-encrypted AES key is prepended to the beginning of every encrypted file, with the original file permissions and the IV used by the AES algorithm. All the encrypted files have ".encrypted" added at the end of their file name.^[3]

The program use the libc rand() function with the timestamp at the moment of encryption as seed to generate the IV and the keys.

Decryption[edit]

When the payment to the cybercriminal is made, the victim can download a PHP script to their computer. This script will use the RSA private key to recover the symmetric AES key and decrypt all the files with the ".encrypted" extension. Along with the file decryption, the decryption tool will also delete every "readme_for_decryption.txt" file on the hard drive.

Recovering files[edit]

Because of the use of the timestamp as a seed for creating the keys and the IV for encryption, decryption of files encrypted by the ransomware is trivial given that the original timestamp information is kept intact. Researchers at Bitdefender Labs have found and exploited this weakness to recover the files without having to pay the criminals.^[3]

On other Unix systems[edit]

Linux.Encoder.1 has been recompiled on Mac, called KeRanger.
There is a version that infects FreeBSD.^[4]

References[edit]

^ Bisson, David (November 10, 2015). "Website files encrypted by Linux.Encoder.1 ransomware? There is now a free fix". Graham Cluley. Retrieved 2015-11-16.
^ "Encryption ransomware threatens Linux users". Dr. Web. November 6, 2015. Retrieved 2015-11-16.
^ ^a ^b ^c "Linux Ransomware Debut Fails on Predictable Encryption Key". Bitdefender Labs. November 10, 2015. Retrieved 2015-11-16.
^ ^a ^b "Linux.Encoder.1". Dr. Web. November 5, 2015. Retrieved 2015-11-16.
^ Rubin, Netanel (April 20, 2015). "Analyzing the Magento Vulnerability". Check Point Blog. Retrieved 2015-11-16.
^ "Ransomware Now Gunning for Your Web Sites". Krebs on Security. November 15, 2015. Retrieved 2015-11-16.

[1] Bisson, David (November 10, 2015). "Website files encrypted by Linux.Encoder.1 ransomware? There is now a free fix". Graham Cluley. Retrieved 2015-11-16.

[2] "Encryption ransomware threatens Linux users". Dr. Web. November 6, 2015. Retrieved 2015-11-16.

[:0-3] "Linux Ransomware Debut Fails on Predictable Encryption Key". Bitdefender Labs. November 10, 2015. Retrieved 2015-11-16.

[:1-4] "Linux.Encoder.1". Dr. Web. November 5, 2015. Retrieved 2015-11-16.

[5] Rubin, Netanel (April 20, 2015). "Analyzing the Magento Vulnerability". Check Point Blog. Retrieved 2015-11-16.

[6] "Ransomware Now Gunning for Your Web Sites". Krebs on Security. November 15, 2015. Retrieved 2015-11-16.

[1]

[2]

[3]

[4]

[5]

[6]