RV_ Posted November 10, 2015 Report Share Posted November 10, 2015 Excerpt: "Attackers are demanding one Bitcoin from web admins to unlock files infected by a new ransomware variant for Linux machines. Admins are facing a variant of Linux malware that encrypts files on infected web servers. But the good news for now is the private key that locks down those files is predictable. The crypto-ransomware is aimed at Linux system administrators and demands exactly one Bitcoin to restore access to key files. One Bitcoin was worth about $420 last week but is currently $375. According to Russian antivirus firm Dr Web, which labeled the ransomware Linux.Encode.1, the files it encrypts suggests the main target is website administrators whose machines have web servers deployed on them. The malware first encrypts directories for home, root, MySQL, ngnix, and Apache and then moves on to encrypt files for web apps, backups, Git projects and numerous other files with specific extensions, such as .exe, .apk and .dll. The company said previous attacks on web servers have exploited a flaw in the Magento content-management system, so that could be how Linux machines are being infected. At the end October, Magento warned users to install a bundle of patches, which included a fix for a remotely-exploitable bug that gave access to system files in some server configurations. The company said it expected automated attacks on Magento installations following the publication of the issue by the security researcher who reported the bug. Security vendor BitDefender has also analysed the Linux.Encoder.1 malware and said it was extremely similar to more widespread ransomware for Windows machines, such as CryptoLocker and TorLocker, which have reportedly made tens of millions of dollars for their operators. However, the makers of this sample made a "million-dollar flaw", namely a predictable RSA key, which allowed the company to create an automated decryption tool available here: http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/ The company's researchers reverse-engineered the sample and discovered it was not generating secure random keys and IVs. "This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojan's operator(s)." Although Linux users are lucky they don't need to pay up to reclaim their files, the ransomware adds to the list of recent attacks on Linux machines, albeit poorly configured ones, whose connectivity is harvested for use in distributed denial of service attacks or spreading malware for Windows." The whole article is here: http://www.zdnet.com/article/crypto-ransomware-strikes-linux-but-attackers-botch-private-key/?tag=nl.e539&s_cid=e539&ttag=e539&ftag=TRE17cfd61 Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.