Linux ransomware spreading faster than initial reports

A recently-discovered Linux file-encrypting ransomware is spreading faster than first thought, security researchers have warned, a red flag for CISOs who have Linux systems.

The malware, dubbed Linux.Encoder.1 by anti-virus firm Dr. Web., was first thought to have infected a small number of sites when the vendor reported its discovery last week. However, it said that by Nov. 12 thousands more had been discovered through a simple Google search for sites that include the ransom note dropped by the code, and Security Week backed that up with a more recent search.

The discovery means infosec pros need to watch their systems as well as check if their defence systems have been updated to catch the Trojan. An official from BitDefender told Security Week that the malware is usually spread through unpatched software, so security teams have to ensure they have the latest versions of all applications and their plug-ins, such as eBay’s Magneto e-commerce platform.

The malware targets website administrators’ credentials, which it uses to download the payload. There have been some case of an unpatched Magneto vulnerability being exploited, Dr. Web’s blog said.

It encrypts all files in home directories and directories related to website administration. Then the Trojan goes through the whole file system starting with the directory from which it is launched, then starting with a root directory (“/”). After that, it encrypts only files with specified extensions and only if a directory name starts with one of the strings indicated by cybercriminals.

“Compromised files are appended by the malware with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a file with a ransom demand—to have their files decrypted, the victim must pay a ransom in the Bitcoin electronic currency.”

The good news, according to BitDefender, is the Trojan’s creators — in this version — didn’t do a good job generating their encryption keys. As a result it has made available a free decryption tool for those stung. However, if may not help if a system is infected more than once and victim files are irreparably damaged.

BitDefender also offers this advice:

– Never run applications that you don’t completely trust as root user. This is a great security risk that will likely compromise your machine or the integrity of the data on it;
– Backup early, backup often. If your computer falls victim to ransomware, it would be better to simply restore the affected files from an earlier backup than to pay the decryption fee. Remember that easy money is the primary driver for crypto-ransomware operators to build these Trojans and perfect them in time. The less profit they make, the lower their interest in developing crypto-ransomware.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now