A new form of crypto-ransomware has emerged that targets users of Linux-based operating systems.
Russian antivirus software company Dr. Web has issued an alert noting that instead of targeting end users with weaponized PDF or Microsoft Word documents that encrypt their file system and ask for bitcoins, this new breed of ransomware is targeting the web servers themselves.
This particular malware infects web server software (like Magento) and targets Apache and MySQL installations running on Linux.
“Once launched with administrator privileges, the trojan, dubbed Linux.Encoder.1, downloads files containing cybercriminals' demands and a file with the path to a public RSA key,” Dr. Web explained in an analysis. “After that, the malicious program starts as a daemon and deletes the original files. Subsequently, the RSA key is used to store AES keys which will be employed by the trojan to encrypt files on the infected computer.”
First, Linux.Encoder.1 encrypts all files in home directories and directories related to website administration. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory. At that, the Trojan encrypts only files with specified extensions and only if a directory name starts with one of the strings indicated by cyber-criminals.
Compromised files are appended by the malware with the .encrypted extension. Into every directory that contains encrypted files, the trojan plants a file with a ransom demand—to have their files decrypted, the victim must pay a ransom in the Bitcoin electronic currency.
Doctor Web recommends users whose files have been encrypted to contact technical support providing detailed information on the incident and sending several samples of encrypted files. To decrypt files, it is very important that the user does not modify or delete them—otherwise, encrypted data may be permanently lost.