Menu
First Linux ransomware program cracked, for now

First Linux ransomware program cracked, for now

The creators of the Linux.Encoder.1 ransomware program made errors when implementing encryption algorithms

Administrators of Web servers that were infected with a recently released ransomware program for Linux are in luck: There's now a free tool that can decrypt their files.

The tool was created by malware researchers from antivirus firm Bitdefender, who found a major flaw in how the Linux.Encoder.1 ransomware uses encryption.

The program makes files unreadable by using the Advanced Encryption Standard (AES), which uses the same key for both the encryption and decryption operations. The AES key is then encrypted too by using RSA, an asymmetric encryption algorithm.

The RSA algorithm uses a public and private key pair instead of a single key. The public key is used to encrypt data and the private key is used to decrypt it. In the case of Linux.Encoder.1, the RSA public-private key pair is generated on the attackers' servers and only the public key is sent to infected systems and used to encrypt the AES key.

If implemented correctly this process would make it impossible for anyone to decrypt the files without the RSA private key retained by the attackers. However, the Bitdefender researchers discovered that when it generates the AES keys, the malicious program uses a weak source of random data -- the time and date at the moment of encryption.

This time stamp is easy to determine by looking at when the AES key files were created on disk. Therefore, researchers are able to reverse the process and recover the AES keys without needing to decrypt them, making the RSA public and private keys pointless.

The tool created and released by Bitdefender is a script written in Python that determines the initialization vectors and AES encryption keys by analyzing the files encrypted by the ransomware program. It then decrypts the files and fixes their permissions on the system.

"If you can boot your compromised operating system, download the script and run it under the root user," the Bitdefender researchers said in a blog post that also contains detailed instructions on how to use the tool.

This is not the first time ransomware authors have made errors in their implementation of encryption algorithms, allowing researchers to recover affected files. However, based on past incidents, once these errors become known, they get fixed in new versions of the malware programs.

It's safe to assume that we'll soon see a new Linux.Encoder variant that doesn't make the same mistake, or entirely new ransomware programs that target Linux systems. Mac OS X is not immune to this type of threat either, as a security researcher recently demonstrated with a proof of concept.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Slideshows

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

Ingram Micro completed its nationwide roadshow in Auckland last month, kicking off its Innovation Hour series with Hewlett Packard Enterprise. Uncovering the latest in storage, networking and servers, the event outlined key market trends for resellers in 2016 and beyond.

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise
IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

FireEye welcomed 143 channel partners and distributors to FireEye's 2016 annual Partner Conference, FireEye A/NZ Momentum - held at Establishment in Sydney. Delegates heard from senior trans-Tasman channel leaders, marketing and the product divisions in the morning, with FireEye customers, incident responders and threat intelligence analysts sharing knowledge during the afternoon.

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference
​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​

With New Zealand businesses now open to innovation, the industry sits on the cusp of significant disruption in the data centre. Driven by software-defined networking, the future of the data centre is fast becoming reality, as the channel seeks to keep up, keep innovating and keep growing. APC by Schneider Electric, Lenovo and key partners outlined how the channel can capitalise at The Grill restaurant in Auckland.

​IN PICTURES: Disruption in the data centre - Can the Kiwi channel capitalise?​
Show Comments