A recently-discovered Linux file-encrypting ransomware is spreading faster than first thought, security researchers have warned, a red flag for CISOs who have Linux systems.
The malware, dubbed Linux.Encoder.1 by anti-virus firm Dr. Web., was first thought to have infected a small number of sites when the vendor reported its discovery last week. However, it said that by Nov. 12 thousands more had been discovered through a simple Google search for sites that include the ransom note dropped by the code, and Security Week backed that up with a more recent search.
The discovery means infosec pros need to watch their systems as well as check if their defence systems have been updated to catch the Trojan. An official from BitDefender told Security Week that the malware is usually spread through unpatched software, so security teams have to ensure they have the latest versions of all applications and their plug-ins, such as eBay’s Magneto e-commerce platform.
The malware targets website administrators’ credentials, which it uses to download the payload. There have been some case of an unpatched Magneto vulnerability being exploited, Dr. Web’s blog said.
It encrypts all files in home directories and directories related to website administration. Then the Trojan goes through the whole file system starting with the directory from which it is launched, then starting with a root directory (“/”). After that, it encrypts only files with specified extensions and only if a directory name starts with one of the strings indicated by cybercriminals.
“Compromised files are appended by the malware with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a file with a ransom demand—to have their files decrypted, the victim must pay a ransom in the Bitcoin electronic currency.”
The good news, according to BitDefender, is the Trojan’s creators — in this version — didn’t do a good job generating their encryption keys. As a result it has made available a free decryption tool for those stung. However, if may not help if a system is infected more than once and victim files are irreparably damaged.
BitDefender also offers this advice:
– Never run applications that you don’t completely trust as root user. This is a great security risk that will likely compromise your machine or the integrity of the data on it;
– Backup early, backup often. If your computer falls victim to ransomware, it would be better to simply restore the affected files from an earlier backup than to pay the decryption fee. Remember that easy money is the primary driver for crypto-ransomware operators to build these Trojans and perfect them in time. The less profit they make, the lower their interest in developing crypto-ransomware.