Author of Linux.Encoder Fails for the Third Time, Ransomware Is Still Decryptable

Share this…

Lucky Linux server admins are lucky, ransomware is still a dud, fails to properly hide its encryption key. The Linux.Encoder ransomware has received a third update, which security researchers from Bitdefender have managed to crack, yet again, for the third time.

Antivirus maker Dr.Web first discovered Linux.Encoder at the start of November 2015. News about the ransomware spread quickly, mainly because it targeted Web servers, looking to encrypt crucial files used in Web hosting and Web development environments.

Previous Linux.Encoder ransomware versions were duds

Fortunately for all victims, five days later, security researchers from both Bitdefender and Dr.Web announced they’ve identified a weakness in the way the ransomware locks and encrypts files, and both put out decryption tools.

A week later, Bitdefender took a closer look at its telemetry data and past malware samples and discovered a second version of the ransomware, one active in August 2015, which was even easier to decrypt, being an earlier prototype.

Now, Bitdefender’s team is announcing the discovery of the third version of Linux.Encoder, one which already infected around 600 servers.

Bitdefender: Linux.Encoder again? No problem!

Linux.Encoder’s author tried to fix an earlier problem with how the ransomware generated secure random keys by using a hashing function to obfuscate the file’s “last modification” time value (used in generating the random data).

“Apparently, they have completely forgotten to select a hashing algorithm, so the output of the hashing function is unchanged. This means that all calls to the Update and Finish primitives do not, in effect, do anything,” explains Bitdefender’s Bogdan Botezatu. “As a result, the full AES key is now written to the encrypted file, which makes its recovery a walk in the park.”

The funny thing about this third version, as Mr. Botezatu also points out, is that the ransomware’s author may have taken the advice of a security researcher on Twitter, who was at that time ridiculing Linux.Encoder’s weak encryption, used for the last (November) version.

As usual, a Linux.Encoder decryption tool has been kindly provided for free by Bitdefender’s team.

the grugq