New crypto-ransomware targets Linux web servers

There’s a new piece of crypto-ransomware out there, but unlike most malware of this particular type, this one is mainly directed at web servers running on Linux.

The threat has been dubbed Linux Encoder by Dr. Web researchers, and is currently detected by a small fraction of AV solutions.



It is still unknown how the malware ends up on the machines. According to Brian Krebs, in one particular case the server was infected via an unpatched vulnerability in the popular shopping cart software Magento.

“Once launched with administrator privileges, the Trojan (…) downloads files containing cybercriminals’ demands and a file with the path to a public RSA key. After that, the malicious program starts as a daemon and deletes the original files,” the researchers explained. “Subsequently, the RSA key is used to store AES keys which will be employed by the Trojan to encrypt files on the infected computer.”

The Trojan encrypts files in the /home, /root, /var/lib/mysql, /var/www, /etc/nginx, /etc/apache2 and /var/log directories; home directories; directories whose names start with public_html, www, webapp, backup, .git and .svn.

It encrypts a wide variety of files – including Office, documents, image files, HTML and PHP files, archives, DLLs and EXE files – and adds the .encrypted extension to them. Instructions on what to do in order to get the files decrypted are included in each directory.

Dr. Web researchers are working on a technology that can help decrypt data encrypted by this malware, but in the meantime the best protection against its destructiveness is to backup crucial files regularly.

The victim in the case described by Krebs didn’t backup as often as he should have, so he was forced to pay the ransom (1 bitcoin = around $420). Luckily for him, the criminals upheld their end of the bargain, and he got his files back (albeit with a few missing characters, due to a faulty decryption script).