Linux crypto ransomware continues to wreak havoc, but there’s some good news

Trojan Encoder crypto ransomware family, whose main target are web servers running on Linux, is obviously making quite a splash.

Dr. Web, the security company that first warned the public about the malware existence and behavior, has been forced to announce that their free offer for helping their customers decrypt the files encrypted by this specific malware will be limited to those who, at the moment of infection, were already running one of the company’s security solutions.

“Our anti-virus laboratory receives an enormous number of requests for decryption―including those from users who purchased a Dr.Web license after an infection occurred,” they noted, but also made sure to point out that “in most cases, decryption is not possible – even when contacting Doctor Web’s technical support service for assistance.”

AV maker Bitdefender has also come out with a tool for decrypting the files, as a flaw in the malware’s encryption method had been found.

But their tool also doesn’t offer fullproof decryption.

“It was brought to our attention that the decryption tool was not working on particular cases. Upon investigation we were surprised to find out that some victims were infected more than one time (the ransomware was accidentally started more than once),” Bitdefender explained.

“This means that some files were encrypted using a key, and others using another set of keys. However, in so doing, the race condition generated leads to some files getting irreparably damaged (their content is truncated to zero). And in some cases even the ransom notes became encrypted!”

As the ransom amount requested by the criminals wielding this particular crypto ransomware has risen considerably in the last few weeks – from $50 all through to $999 (in some cases), a sentence in one of the ransom message offers hope for victims from Russia and the Russian Commonwealth (click on the screenshot to enlarge it):

“The text roughly translates to: ‘If your site is in a zone of Russia and the CIS, we are willing to apologize and decrypt files for free. Also, just drop us an email’,” Malwarebytes’ Jerome Segura explained.

“Attacks against websites are almost always automated and it looks like the author behind this is giving a free pass to fellow citizens who may ‘inadvertently’ get their sites encrypted.”

Share this
You are reading

Linux crypto ransomware continues to wreak havoc, but there’s some good news