Home / malwarePDF  

Linux.Encoder.1


First posted on 11 November 2015.
Source: SecurityHome

Aliases :

There are no other names known for Linux.Encoder.1.

Explanation :

Encryption ransomware for Linux written in C using the PolarSSL library.

Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:

  • ./readme.crypto?file with demands,

  • ./index.crypto?HTML file with demands.

As an argument, the Trojan receives the path to the file containing a public RSA key.

Once the files are read, the malicious program starts as a daemon and deletes its original files.

First, the Trojan encrypts files in the following directories:

/home
/root
/var/lib/mysql
/var/www
/etc/nginx
/etc/apache2
/var/log

After that, Linux.Encoder.1 encrypts all files in home directories. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory ("/"). At that, the Trojan encrypts only files from directories whose names start with one of the following strings:
  • public_html

  • www

  • webapp

  • backup

  • .git

  • .svn

At that, the Trojan encrypts only files with the following extensions:
".php", ".html", ".tar", ".gz", ".sql", ".js", ".css", ".txt" ".pdf", ".tgz", ".war", ".jar", ".java", ".class", ".ruby", ".rar" ".zip", ".db", ".7z", ".doc", ".pdf", ".xls", ".properties", ".xml" ".jpg", ".jpeg", ".png", ".gif", ".mov", ".avi", ".wmv", ".mp3" ".mp4", ".wma", ".aac", ".wav", ".pem", ".pub", ".docx", ".apk" ".exe", ".dll", ".tpl", ".psd", ".asp", ".phtml", ".aspx", ".csv"

The Trojan does not encrypt files in the following directories:

/
/root/.ssh
/usr/bin
/bin
/etc/ssh

To encrypt each file, the Trojan generates an AES key. After files are encrypted using AES-CBC-128, they are appended with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a README_FOR_DECRYPT.txt file with a ransom demand.

If decryption is initiated, Linux.Encoder.1 will use a private RSA key to retrieve AES keys from encrypted files, traverse directories in the same order as when they were encrypted, and delete README_FOR_DECRYPT.txt files trying to decrypt all files with the .ecnrypted extension.

Upon investigation it was find out that some victims were infected more than one time (the ransomware was accidentally started more than once).

This means that some files were encrypted using a key, and others using another set of keys. However, in so doing, the race condition generated leads to some files getting irreparably damaged (their content is truncated to zero). And in some cases even the ransom notes became encrypted!

Solution :

Here is a step-by-step walkthrough to get your data back:
Thanks to bitdefender.com

  • Download the script from Bitdefender Laps Repository
    (chances are that encryption also affected the system and you might need to boot from a live CD or mount the affected partition on a different machine)

  • Mount the encrypted partition using the mount /dev/[encrypted_partition]

  • Generate a list of encrypted files by issuing the following command: /mnt# sort_files.sh encrypted_partition > sorted_list

  • Issue a head command to get the first file: /mnt# head -1 sorted_list

  • Run the decryption utility to get the encryption seed: /mnt# python decrypter.py ?f [first_file]

  • Decrypt everything using the displayed seed: /mnt# python /tmp/new/decrypter.py -s [timestamp] -l sorted_list

Given the complexity of the task, we provide free support to any user in need of assistance. Just drop us a line via the comment form below and we?ll do our best to help you.

Last update 11 November 2015

 

TOP