Menu
First Linux ransomware program cracked, for now

First Linux ransomware program cracked, for now

The creators of the Linux.Encoder.1 ransomware program made errors when implementing encryption algorithms

Administrators of Web servers that were infected with a recently released ransomware program for Linux are in luck: There's now a free tool that can decrypt their files.

The tool was created by malware researchers from antivirus firm Bitdefender, who found a major flaw in how the Linux.Encoder.1 ransomware uses encryption.

The program makes files unreadable by using the Advanced Encryption Standard (AES), which uses the same key for both the encryption and decryption operations. The AES key is then encrypted too by using RSA, an asymmetric encryption algorithm.

The RSA algorithm uses a public and private key pair instead of a single key. The public key is used to encrypt data and the private key is used to decrypt it. In the case of Linux.Encoder.1, the RSA public-private key pair is generated on the attackers' servers and only the public key is sent to infected systems and used to encrypt the AES key.

If implemented correctly this process would make it impossible for anyone to decrypt the files without the RSA private key retained by the attackers. However, the Bitdefender researchers discovered that when it generates the AES keys, the malicious program uses a weak source of random data -- the time and date at the moment of encryption.

This time stamp is easy to determine by looking at when the AES key files were created on disk. Therefore, researchers are able to reverse the process and recover the AES keys without needing to decrypt them, making the RSA public and private keys pointless.

The tool created and released by Bitdefender is a script written in Python that determines the initialization vectors and AES encryption keys by analyzing the files encrypted by the ransomware program. It then decrypts the files and fixes their permissions on the system.

"If you can boot your compromised operating system, download the script and run it under the root user," the Bitdefender researchers said in a blog post that also contains detailed instructions on how to use the tool.

This is not the first time ransomware authors have made errors in their implementation of encryption algorithms, allowing researchers to recover affected files. However, based on past incidents, once these errors become known, they get fixed in new versions of the malware programs.

It's safe to assume that we'll soon see a new Linux.Encoder variant that doesn't make the same mistake, or entirely new ransomware programs that target Linux systems. Mac OS X is not immune to this type of threat either, as a security researcher recently demonstrated with a proof of concept.

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments