There are now three known examples of file-encrypting ransomware for Linux servers, according to a Russian antivirus firm.
Earlier this month Russian security firm Dr. Web discovered what at the time was thought to be the first ransomware threat targeting Linux machines, which encrypted the directories of popular web servers, such as MySQL, Apache and Nginx.
Dubbed Linux.Encoder.1, the malware has been distributed since early November, using strong encryption to prevent web administrators from accessing files that support their website. The malware’s distributors also demanded payment of one Bitcoin to acquire the private key to unlock the affected files.
However, soon after the malware was outed, researchers at rival security firm BitDefender discovered that the ransomware generated predictable encryption keys and so released a tool that allowed victims to regain access to their files without paying up.
The first known piece of file-encrypting ransomware for Linux was flawed, though otherwise shared traits with nastier Windows variants, such as CryptoWall, that aren’t so easy to escape without payment unless remote backups have been made.
Despite the easy fix, Dr. Web later reported that over 2,000 websites had fallen prey to the ransomware, also warning that future versions of the malware would likely resolve the predictable key generation issue. To its surprise, BitDefender also found that in some cases its decryption tool didn’t work.
The reason it didn’t work, as BitDefender reported last week, is that some machines infected by Linux.Encoder.1 were also infected with a very similar file-encryption ransomware that preceded it and was distributed in August. BitDefender called this Linux.Encoder.0 and though it did figure out a way to decrypt files affected by it, some files on machines that had been infected twice were completely destroyed.
That isn’t the end of it though. Dr Web this week revealed it had discovered yet another piece of file-encrypting ransomware targeting Linux web servers, now called Linux.Encoder.2, which was distributed between September and October. In other words, there were actually two distinct Linux crypto-ransomware samples floating around prior to the so-called first, but since the 0 and 1 identifiers have already been used, it opted to call the middle sibling Linux.Encoder.2.
The security firm noted a few differences in Linux.Encoder.2, which taken together with the other two samples, could reveal efforts to evolve the threat.
According to Dr. Web, Linux.Encoder.1 used the OpenSSL library to encrypt files while Linux.Encoder.2 used PolarSSL.
As with the previous two instances, there is a way to unlock files encrypted with the malware. However, unlike BitDefender, which open-sourced its tool, Dr. Web is reserving its for paying customers.
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here.