Twitter Community Helps Create Improved Linux Encoder Ransomware

New version of dangerous ransomware has infected 600 Linux servers

Antivirus solutions provider Bitdefender has discovered that a third version of the Linux Encoder ransomware is targeting vulnerable servers worldwide.

More than 600 servers have been infected with the ransomware, which appears to have been improved off the back of recommendations from Twitter users, and is said to be similar in behaviour to CryptoWall and TorLocker.

Programming flaw

November 2015 saw the emergence of Linux.Encoder.1, the first piece of ransomware to target vulnerable Linux web servers. A programming flaw allowed Bitdefender researchers to obtain the decryption key and provide victims with a free recovery utility.

crime victimCatalin Cosoi, chief security strategist at Bitdefender, said: “As we expected, the creators of Linux.Encoder have fixed their previous bugs and created a new and improved variant. Luckily for the victims, the new variant of Linux.Encoder is still vulnerable to key recovery attacks.

“The old version of the Linux.Encoder ransomware used to generate a 16-byte initialisation vector and a 16-byte AES key by calling the rand() function. The initial seed to the RNG was taken from the current timestamp, which was actually very close to the modification time of the file after encryption.”

When Bitdefender documented the flawed approach to generating IVs and keys in the previous versions, the Twitter community ridiculed the ransomware developers by suggesting wild improvements to the ransomware’s functionality.

Cosoi said: “Apparently, the operators actually took note of these recommendations; as a result, the IV is now generated from a hash of the file size and the filename – 32 bytes from rand() are hashed 8 times and used as the AES-256 key.”

The flaw that has allowed Bitdefender to break into the new Linux.Encoder ransomware resides in the way the attackers are hashing the random bytes to produce the AES-256 key. The hackers have failed to select a hashing algorithm, so the output of the hashing function is unchanged, according to Bitdefender. This means that all calls to the Update and Finish primitives are ineffective. As a result, the full AES key is now written to the encrypted file, which makes its recovery a simple process.

For those who have been affected by the new version of this ransomware, Bitdefender says that downloading and running its decryption utility tool will help users to retrieve locked files. It is important that users make sure all vulnerable platforms are up-to-date to pre-empt this type of attack. It may not be long until hackers create a working version of the ransomware that won’t be as simple to decrypt, Bitdefender warned.

How much do you know about Open Source technology? Try our quiz!