New year begins with new ransomware for Linux
January 12, 2016
Virus makers presumably took advices of some Western anti-virus company, that provided a detailed information on creators’ mistakes in the Linux.Encoder.1 code, and promptly fixed the code errors. Like previous versions of Linux.Encoder, this Trojan penetrates home directory of websites using shell script that is incorporated into various content management systems with unknown vulnerabilities. Linux.Encoder.3 does not require root privileges—web server privileges are enough for the Trojan to encrypt all files in the home directory. So far, Doctor Web technical support has already gotten a number of ticket requests from website owners who encountered Linux.Encoder.3.
Cybercriminals changed encryption algorithms used by the Trojan (taking into account all recommendations given by the before mentioned anti-virus company). However, compromised files are still appended with the .encrypted extension. A key feature of Linux.Encoder.3 is that it can remember file created and modified dates and change them for its modified files with dates specified before the encryption. Every sample of this malicious program uses its unique encryption key created based on parameters of encrypted files and values generated randomly.
A number of architectural features of Linux.Encoder.3 make it possible to successfully decrypt compromised files. However, due to the fact that the mentioned anti-virus company has published a new research of the Trojan containing detailed information about its bugs, virus makers may take advantage of this data to modify the encoder and make the decryption procedure more difficult. Thus, in the near future, it is very likely that yet another modified version of Linux.Encoder will be detected.
If you have fallen victim to Linux.Encoder.3, follow the guidance below:
- Notify the police.
- Do not, under any circumstances, attempt to change the contents of directories with encrypted files.
- Do not delete any files from the server.
- Do not try to restore the encrypted data by yourself.
- Contact Doctor Web technical support (free decryption service is only available to users who have purchased commercial licenses for Dr.Web products).
- Attach a file encrypted by the Trojan to the request ticket.
- Wait for a response from technical support. Due to a large number of requests, it may take some time.
Once again, we would like to point out that free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. Doctor Web cannot guarantee that all your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.