Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

New iteration of Linux encoder ransomware discovered

BitDefender UK : 12 January, 2016  (Technical Article)
Bitdefender is offering a free tool to unlock files affected by the latest iteration of the Linux Encoder ransomware
New iteration of Linux encoder ransomware discovered

Bitdefender has discovered that a third iteration of the Linux Encoder ransomware is targeting vulnerable servers worldwide. Currently, more than 600 servers have been infected with the ransomware, which is similar in behaviour to CryptoWall and TorLocker. The good news is that Bitdefender’s decryption tool can decrypt all files held at ransom for free.

November 2015 saw the emergence of Linux.Encoder.1, the first piece of ransomware to target vulnerable Linux web servers. A programming flaw allowed Bitdefender researchers to obtain the decryption key and provide victims with a free recovery utility.

“As we expected, the creators of Linux.Encoder have fixed their previous bugs and created a new and improved variant. Luckily for the victims, the new variant of Linux.Encoder is still vulnerable to key recovery attacks,” states Catalin Cosoi, Chief Security Strategist at Bitdefender. “The old version of the Linux.Encoder ransomware used to generate a 16-byte initialisation vector and a 16-byte AES key by calling the rand() function. The initial seed to the RNG was taken from the current timestamp, which was actually very close to the modification time of the file after encryption.”

Catalin Cosoi continues, “When we documented the flawed approach to generating IVs and keys in the previous versions, the Twitter community ridiculed the developers by suggesting wild improvements to the ransomware’s functionality. Apparently, the operators actually took note of these recommendations; as a result, the IV is now generated from a hash of the file size and the filename – 32 bytes from rand() are hashed 8 times and used as the AES-256 key.”

The flaw that has allowed Bitdefender to break into the new Linux.Encoder ransomware resides in the way the attackers are hashing the random bytes to produce the AES-256 key. The hackers have failed to select a hashing algorithm, so the output of the hashing function is unchanged. This means that all calls to the Update and Finish primitives are ineffective. As a result, the full AES key is now written to the encrypted file, which makes its recovery a simple process.

For those who have been affected by the new version of this ransomware, downloading and running the decryption utility tool, provided by Bitdefender, will help users to retrieve locked files. It is important that users make sure all vulnerable platforms are up-to-date to pre-empt this type of attack. It may not be long until hackers create a working version of the ransomware that won’t be as simple to decrypt.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo