Seeking new attack surfaces other than personal PCs and enterprise networks, ransomware publishers have now come to target web servers.

Linux Ransomware Discovery

Doctor Web, a well-known Russian security software vendor, was the first to spot and report a fully functional ransom Trojan for Linux-based systems. Dubbed Linux.Encoder.1, this sample is exhibiting very similar behaviour to the infamous CryptoWall. VirusTotal results show almost half of the popular antivirus engines fail to detect the sample that pioneered in the Linux realm. This ransomware was found to be primarily focused on compromising machines with web servers deployed on them.

Infection Methods

It’s not 100% clear at this point how the infection is installed on servers. In a number of cases, Linux.Encoder.1 virus authors have reportedly exploited unpatched vulnerabilities in WordPress via third-party plugins, shopping cart solutions as well as the eBay’s Magento CMS. As per search results acquired through the respective Google query, about 3000 websites have been hit by this malady as of November 15, 2015. The Trojan poses a considerable degree of risk to the owners of Internet resources as lots of widely used CMS solutions have unpatched vulnerabilities, furthermore, some website administrators neglect regular CMS updates that tend to be critical as far as security goes.

Linux Ransomware Behaviour

Once executed, the infection downloads files containing ransom notes and a file with the path to a public RSA key. The attack workflow presupposes that this key stores AES keys that will be leveraged for file encryption proper. The trojan then launches as a daemon and erases the original files spotted on the machine.

The items that are subject to encryption at the first stage of the Linux.Encoder.1 assault include files inside home directories as well as website administration related directories. The ransomware then repetitively roams through the entire file system, starting with the directory it is launched from, and next time starting with a root directory (“/”). The trojan applies crypto to predefined file formats only, with an additional criterion that the directory name must start with a specified string.

Linux.Encoder.1 is executed with the set of www-data privileges identical to Apache’s, consequently it can encrypt all objects stored in directories that the attacked user has write-access to. Essentially, this means the ransomware has sufficient permissions to encode CMS files and components. It’s quite possible that the infection may obtain yet broader privileges, in which case its impact will exceed the web server directory proper. Linux.Encoder.1 may encrypt the site administrator’s home directory, MySQL server directory, logs directory and web directories of the Apache and Nginx web servers, as well as documents, applications, source code and media files.

As opposed to personal computers or machines on a business network, maintaining data backups on web servers is a more common practice. To circumvent this obstacle, though, the Trojan detects and hits directories and archives containing the word Backup. It’s therefore strongly recommended to backup the data to a remote server or offline storage on a regular basis.

The files that underwent encryption become appended with the .encrypted extension. As part of its routine, the ransomware also creates a file called README_FOR_DECRYPT.txt in every directory holding encrypted information. This file instructs the infected user on further action to get their data restored: a ransom amounting to 1 BTC is to be paid to a specified Bitcoin address.

Defeating The Threat

The good news is the ransomware targeting Linux servers has been defeated due to the commendable effort of security professionals just several days after its existence was made public. As it turned out, creators of the Linux.Encoder.1 ransomware program made errors when implementing encryption algorithms.

Researchers from antivirus company Bitdefender found a major flaw in how this ransomware implements encryption. “We looked into the way the (AES) key and initialization vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab,” crypto expert Radu Caragea says.

The program renders files inaccessible by leveraging the Advanced Encryption Standard (AES), which is known to use the same key for both the encryption and decryption routine. The AES key subsequently undergoes encryption as well using RSA, which is an asymmetric crypto standard. The former uses a public and private key pair instead of a single key, where the public key is used to encrypt data and the private key is used to decrypt it.

In the framework of the Linux.Encoder.1 attack, this public-private key pair is generated on the criminals’ server and it’s only the public key that’s sent to contaminated machines and used for encrypting the AES key. Ideally, this approach ensures infeasibility of data decryption unless the RSA private key is available.

Thankfully, Bitdefender experts discovered that the ransomware relies on a ridiculously primitive technique for generating AES keys, using the time and date at the point the files were encrypted. It isn’t much of a problem to retrieve the time stamp, where it suffices to see when the AES key files were added. Decrypting the AES keys is hence not necessary since they can be recovered by looking up the time-related metadata. In these circumstances, the RSA key pair makes no sense in terms of preventing file recovery. This nontrivial shortcoming in the fraudsters’ implementation turns the whole extortion story into a fail.

Bitdefender guys created a tool to help decrypt files. They came up with a Python script that analyzes encrypted objects and automatically retrieves the AES keys, which makes it possible to decode the data. The tool is reportedly not working in some cases, though. These scenarios involve repeated contamination instances on the same machine, where the trojan was executed more than once. This unfortunate occurrence could lead to an upshot where even the .txt ransom notes get encoded.

The weak encryption technique used by Linux.Encoder.1 publishers is the exception rather than the rule. Cybercrime actors operating in this shady business tend to be extremely meticulous with regard to how encryption keys are generated.

Prevention Tips

Although ransomware makers have made similar mistakes with leveraging crypto algorithms in the past, these flaws usually become addressed in the updated variants of the trojans. To prevent the worst-case scenario from getting through, researchers recommend backing up data using local, on-site backup drives as well as remote (web-based) backup services. Another tip is to run regular updates of Magento, WordPress and third-party CMS applications that can be used for remote code execution. Verifying email sources can also do the trick keeping dangerous payloads away.

At the end of the day, some disturbing contemplations spring to mind: first computers, now servers, what’s next – TV, cars, airplanes, critical infrastructure?