​Game on: two more crypto-ransomware threats for Linux web servers emerge

There are now three known examples of file-encrypting ransomware for Linux servers, according to a Russian antivirus firm.

Earlier this month Russian security firm Dr. Web discovered what at the time was thought to be the first ransomware threat targeting Linux machines, which encrypted the directories of popular web servers, such as MySQL, Apache and Nginx.

Dubbed Linux.Encoder.1, the malware has been distributed since early November, using strong encryption to prevent web administrators from accessing files that support their website. The malware’s distributors also demanded payment of one Bitcoin to acquire the private key to unlock the affected files.

However, soon after the malware was outed, researchers at rival security firm BitDefender discovered that the ransomware generated predictable encryption keys and so released a tool that allowed victims to regain access to their files without paying up.

The first known piece of file-encrypting ransomware for Linux was flawed, though otherwise shared traits with nastier Windows variants, such as CryptoWall, that aren’t so easy to escape without payment unless remote backups have been made.

Despite the easy fix, Dr. Web later reported that over 2,000 websites had fallen prey to the ransomware, also warning that future versions of the malware would likely resolve the predictable key generation issue. To its surprise, BitDefender also found that in some cases its decryption tool didn’t work.

The reason it didn’t work, as BitDefender reported last week, is that some machines infected by Linux.Encoder.1 were also infected with a very similar file-encryption ransomware that preceded it and was distributed in August. BitDefender called this Linux.Encoder.0 and though it did figure out a way to decrypt files affected by it, some files on machines that had been infected twice were completely destroyed.

That isn’t the end of it though. Dr Web this week revealed it had discovered yet another piece of file-encrypting ransomware targeting Linux web servers, now called Linux.Encoder.2, which was distributed between September and October. In other words, there were actually two distinct Linux crypto-ransomware samples floating around prior to the so-called first, but since the 0 and 1 identifiers have already been used, it opted to call the middle sibling Linux.Encoder.2.

The security firm noted a few differences in Linux.Encoder.2, which taken together with the other two samples, could reveal efforts to evolve the threat.

According to Dr. Web, Linux.Encoder.1 used the OpenSSL library to encrypt files while Linux.Encoder.2 used PolarSSL.

As with the previous two instances, there is a way to unlock files encrypted with the malware. However, unlike BitDefender, which open-sourced its tool, Dr. Web is reserving its for paying customers.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.

Join the CSO newsletter!

Error: Please check your email address.

Tags NGINXcrypto-ransomwareLinuxDr. WebRussian antivirusmysqlCryptoWallapachebitdefenderBitcoincyber threats

More about ApacheBitDefenderCSOLinuxMySQL

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts