Can’t get a break: Pwned Linux ransomware pwned again, infects 3000

Share this…

Versions one, two, decrypted days after launch.

Pwned ransomware Linux Encoder has infected 3000 machines in a month, Russian security firm Dr Web says, despite the fact both versions of the software have been neutered.

The first version of the ransomware was decrypted by security boffins at BitDefender days after it was first revealed by Dr Web.

Linux.Encoder.1 encrypts all files in the home, root, MySQL, Apache, and Nginx directories using 128-bit AES.

It then encrypts directory contents that include in strings public_html, www, webapp, backup, .git, and .svn.

WordPress and Magento sites are the main targets. The software had infected 2000 sites by 12 November and surpassed 3000 two weeks later.

Pwned Linux ransomware pwned again, infects 3000

Dr Web reported the second iteration of Linux Encoder on 20 November noting that it was different thanks to its use of another pseudorandom number generator, the use of OpenSSL over PolarSSL, and encryption made using AES-OFB-128 mode with context reinitialisation every 8 AES blocks.

That too can be unlocked using Dr Web’s online portal.

BitDefender bod Radu Caragea says most ransomware like Cryptowall are solid pieces of malware that resist decryption efforts.

“If your machine has been compromised, consider this a close shave,” Caragea says. “Most crypto-ransomware operators pay great attention to the way keys are generated in order to ensure your data stays encrypted until you pay.”

System admins should back up to offline media and consider running the low-impact the Cryptowall pre-eemptive defence tool on PCs where critical data resides which prevents the nasty malware from executing.