New Crypto-Ransomware Targets Linux, Hackers Demand Ransom of One Bitcoin

The antivirus software company Doctor Web has published an alert warning users of Linux-based operating systems that their files could be a target of a new type of crypto-ransomware.

Photo: Dr.Web/Pinterest

Photo: Dr.Web/Pinterest

Doctor Web, the antivirus software firm based in Russia, has warned users of Linux operating system that they can become victims of a new breed of crypto-ransomware. Dubbed “Linux.Encoder.1”, the malware infects web servers with a strong encryption and then asks a ransom of one bitcoin, which is now valued at around $500.

“Judging from the directories in which the Trojan encrypts files, one can draw a conclusion that the main target of cybercriminals is website administrators whose machines have web servers deployed on,” Doctor Web stated.

According to the researchers, at least tens of victims have already been affected. However, further attacks on content management systems could significantly boost the number of those attcked by hackers.

In many cases, cybercriminals exploited a vulnerability in the CMS Magento in order to launch attacks on web servers.

“Once launched with administrator privileges, the trojan, dubbed Linux.Encoder.1, downloads files containing cybercriminals’ demands and a file with the path to a public RSA key,” Doctor Web added. “After that, the malicious program starts as a daemon and deletes the original files. Subsequently, the RSA key is used to store AES keys which will be employed by the trojan to encrypt files on the infected computer.”

This form of ransomware seeks for Nginx, MySQL and Apache installations running on targeted systems. The program also looks for the location of webpage content and log directories before infecting other folders, including program libraries, Active Server Pages (.asp) files, Windows executables, SQL, JavaScript, Java and document files. It leaves behind a text file with instructions on how to pay the ransom necessary for recovering their information.

“Compromised files are appended by the malware with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a file with a ransom demand – to have their files decrypted, the victim must pay a ransom in the Bitcoin electronic currency.”

After the victim pays a ransom in virtual currency, the malware starts decrypting the files. The company advises people affected by the malware to contact technical support and give all necessary information, including samples of encrypted files. In order to unlock the folder, users should not delete or alter them so that they wouldn’t be lost.

The number of computers infected by ransomware is showing steady growth. A few months earlier, the FBI informed it obtained about 1000 complaints relating to CryptoWall malicious program. The total amount of losses accounted for over $18 million. Notably, that is only those people who reported the cybercrime, while the large number of victim never contacted the FBI.

Share This article

We welcome comments that advance the story directly or with relevant tangential information. We try to block comments that use offensive language, all capital letters or appear to be spam, and we review comments frequently to ensure they meet our standards. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Coinspeaker Ltd.