Experts at Bitdefender have discovered a flaw in Linux Encryption Ransomware Linux.Encoder1 that exposes the decryption Key used to lock the files.
Last week security experts at Russian antivirus firm Doctor Web reported the discovery of a new Linux ransomwareÂ dubbed Linux.Encoder1Â that is targeting Linux systems. It has been estimated that tens of users have already fallen victim to this Linux ransomware. The Linux.Encoder1Â ransomwareÂ encrypts files present on the systems,Â once a machine is infected it downloads the files containing attackersâ€™ demands and a file containing the path to a public RSA key. The Linux ransomware is launched as a daemon and deletes the original files, subsequently, the RSA key is used to store AES keys used to encrypt files.
â€śFirst, Linux.Encoder.1 encrypts all files in home directories and directories related to website administration. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory (â€ś/â€ť). At that, the Trojan encrypts only files with specified extensions and only if a directory name starts with one of the strings indicated by cybercriminals.â€ť states the post published by Dr Web last week.
The Encoder.1 , reportedly distributed via a vulnerability in eBayâ€™s Magento ecommerce platform, demands the payment of one Bitcoin ($380) in exchange for the key needed to recover the files.
Linux.Encoder1 was spread by exploitingÂ a vulnerability in the popular eBayâ€™ Magento e-commerce platform, in order to recover theÂ encrypted files, victims are asked to pay one Bitcoin (roughly $380 at todayâ€™s rate), once the ransom is paid the files are decrypted using a private RSA key that retrieves the AES key from encrypted files.
Despite the above algorithms are totally secure and impossible to crack, the researchers at Bitdefender discovered a flaw in the process for the generation of the AES key used by the ransomware.
â€śWe mentioned that the AES key is generated locally on the victimâ€™s computer. We looked into the way the key and initialization vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab.Â We realized that, rather than generating secure random keys and [initialization vectors], the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption.â€ť states the post published by BitDefender.
â€śThis information can be easily retrieved by looking at the fileâ€™s timestamp,â€ť Bitdefender said. â€śThis is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojanâ€™s operator(s).â€ť
The flaw allowed the experts atÂ Bitdefender to developÂ aÂ decryption tool that automatically recovers files encrypted by the Linux.Encoder1. The company also provided a script and the procedure to follow to restore the encryptedÂ files.Â Given the complexity of the procedure, Bitdefender provides free support to any user in need of assistance.
Linux users are advised never to execute untrusted applications with root privileges, and it is important to perform regular backups that could allow them to recover encrypted file sin case of ransomware infections.
â€śNever run applications that you donâ€™t completely trust as root user. This is a great security risk that will likely compromise your machine or the integrity of the data on it;
Backup early, backup often. If your computer falls victim to ransomware, it would be better to simply restore the affected files from an earlier backup than to pay the decryption fee. â€ś
Yesterday I wrote about another useful tool released byÂ Bitdefender toÂ vaccine users against theÂ CryptoWall 4.0Â threat.