November 20, 2015
Despite the fact that this Trojan was added to Dr.Web virus databases under the second number, it had been created earlier, but, nonetheless, never fell under the scrutiny of security researchers. Moreover, not long ago one anti-virus company reported on examination results of another Trojan that was dubbed Linux.Encoder.0—this Trojans is assumed to be the a pioneer of this group, while distribution of Linux.Encoder.2 was carried out from September till October 2015. Later, there appeared Linux.Encoder.1.
Unlike Linux.Encoder.1, this modification employs another pseudorandom number generator and encrypts files using the OpenSSL library (not PolarSSL, like Linux.Encoder.1). Moreover, encryption is performed in the AES-OFB-128 mode with context reinitialization every 128 bytes, that is every 8 AES blocks. Also in Linux.Encoder.2 there are a number of other significant changes from the alternative execution of this encoder.
It should be noted that all the known file decryption utilities do not delete the shell script from the infected server—thus, cybercriminals can use it later to reinfect the system. That is why Doctor Web technical support specialists help all users who sent a request ticket remove additional malicious programs from their systems and protect their machines from future possible attacks carried out using this script.
The signature of Linux.Encoder.2 was added to Dr.Web virus databases for Linux. Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware. If you have fallen victim to Linux.Encoder.2, follow the guidance below:
- Notify the police.
- Do not, under any circumstances, attempt to change the contents of directories with encrypted files.
- Do not delete any files from the server.
- Do not try to restore the encrypted data by yourself.
- Contact Doctor Web technical support (free decryption service is only available to users who have purchased commercial licenses for Dr.Web products).
- Attach a file encrypted by the Trojan to the request ticket.
- Wait for a response from technical support. Due to a large number of requests, it may take some time.
Once again we would like to point out that free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. Doctor Web cannot guarantee that all your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.