Ransomware infections have been around for a long time now with the first one recorded back in 1989. Unfortunately, ransomware is on the rise at the moment, and infections like Linux.Encoder.1, Chimera Ransomware, or Tox Ransomware find ways to attack operating systems without any warning. Linux.Encoder.1 is one of the more complex and destructive infections of its kind as it primarily targets servers, not individual machines. As recent research has revealed, this threat targets sites linked to the Linux operating system, which allows cyber criminals behind this infection to cause more damage.
Unfortunately, once executed, the infection encrypts files and demands a ransom. At the moment, this infection demands a ransom of 1 Bitcoin, which is around 380 USD (250 GBP/354 EUR). This virtual currency is quite unstable, and the conversion could be different. Small or big, this ransom is a tool in the hands of devious cyber criminals.
How does Linux Ransomware work?
Linux Ransomware exploits vulnerabilities to perform successful attacks. For example, this infection could inject a malicious code in site plugins. It is also known that this threat can exploit Magento, which is a content management system used for powering e-commerce websites. Although the vulnerability that is used to execute the infection has already been patched, not all sites have received an update yet, which is up to the moderators managing these sites. Once a backdoor is discovered, the infection is loaded into the memory.
Once executed, AES-CBC-128-bit encryption is used to encrypt files, after which Linux Ransomware deletes itself. It appears that this infection targets users’ home directories and the files associated with the sites controlled from the affected systems. We have found that this malicious ransomware is also capable of encrypting .rar, .doc, .exe, .jpg, .pdf, and various other types of files. In every directory containing an encrypted file, the infection drops a text file (README_FOR_DECRYPT.txt) that includes further instructions regarding the decryption process. Users are urged to pay a ransom using Tor services to make the transaction untraceable. If the demands are followed, a private RSA key is used to decrypt files that are locked with the “.ecnrypted” extension.
Can you get rid of Linux.Encoder.1?
There are plenty of clandestine ransomware infections that try to hide their true intentions, which is to get users’ money. Linux Ransomware, on the other hand, is not clandestine in any way. It comes, it attacks, and it demands. Although this makes the situation a lot clearer, this does not make the infection any less grueling. Many website administrators dealing with this ransomware have already chosen to pay the ransom demanded, and that is not surprising, considering that it might be the quickest way to solve the problem. Dr.Web, the company that first discovered Linux.Encoder.1, is currently working on a tool that should help. Other companies are likely to come up with their own solutions as well, and, hopefully, you will be able to get away without paying the enormous ransom.
What to do next?
If you start backing up your servers, you might be able to avoid similar attacks in the future. The problem with backups is that they could be detected by ransomware. If you are disconnected from your backup system at the time when you are not using it, ransomware like Linux.Encoder.1 cannot detect it or attempt to encrypt it. Also, you need to stay on top of all updates and security patches because cyber criminals are quick to discover vulnerabilities and employ them for malicious cyber attacks. Needless to say, reliable protection is important as well, and you should not forget to reinforce it at all times.