Bitdefender has discovered that a third iteration of the Linux Encoder ransomware is targeting vulnerable servers worldwide. Currently, more than 600 servers have been infected with the ransomware, which is similar in behaviour to CryptoWall and TorLocker. The good news is that Bitdefender’s decryption tool can decrypt all files held at ransom for free.
November 2015 saw the emergence of Linux.Encoder.1, the first piece of ransomware to target vulnerable Linux web servers. A programming flaw allowed Bitdefender researchers to obtain the decryption key and provide victims with a free recovery utility.
“As we expected, the creators of Linux.Encoder have fixed their previous bugs and created a new and improved variant. Luckily for the victims, the new variant of Linux.Encoder is still vulnerable to key recovery attacks,” states Catalin Cosoi, Chief Security Strategist at Bitdefender. “The old version of the Linux.Encoder ransomware used to generate a 16-byte initialisation vector and a 16-byte AES key by calling the rand() function. The initial seed to the RNG was taken from the current timestamp, which was actually very close to the modification time of the file after encryption.”
Catalin Cosoi continues, “When we documented the flawed approach to generating IVs and keys in the previous versions, the Twitter community ridiculed the developers by suggesting wild improvements to the ransomware’s functionality. Apparently, the operators actually took note of these recommendations; as a result, the IV is now generated from a hash of the file size and the filename – 32 bytes from rand() are hashed 8 times and used as the AES-256 key.”
The flaw that has allowed Bitdefender to break into the new Linux.Encoder ransomware resides in the way the attackers are hashing the random bytes to produce the AES-256 key. The hackers have failed to select a hashing algorithm, so the output of the hashing function is unchanged. This means that all calls to the Update and Finish primitives are ineffective. As a result, the full AES key is now written to the encrypted file, which makes its recovery a simple process.
For those who have been affected by the new version of this ransomware, downloading and running the decryption utility tool, provided by Bitdefender, will help users to retrieve locked files. It is important that users make sure all vulnerable platforms are up-to-date to pre-empt this type of attack. It may not be long until hackers create a working version of the ransomware that won’t be as simple to decrypt.
|